cve-2026-42504

CVE-2026-42504 is a denial-of-service vulnerability in Go's standard-library mime package, affecting WordDecoder.DecodeHeader before Go 1.25.11 and from Go 1.26.0 through versions before Go 1.26.4. Disclosed on June 2, 2026, this bug is not a Windows-specific flaw but is relevant to Windows shops because Go-built services are widely used in mail gateways, security appliances, cloud agents, and internal APIs. The vulnerability demonstrates that a parser does not need memory corruption to cause outages; it only needs to be slow in the right place. Discussions on WindowsForum cover triage and patching strategies for Windows environments relying on Go-based components.