CVE-2026-33811: Crash when handling long CNAME response in net
Published May 7, 2026
·Updated
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Affected Software
3 affected components
Google Go net package
Golang Go<1.25.10
Golang Go>=1.26.0<1.26.3
Remediation
Patch Available
Event History
May 7, 2026
CVE Published
via MITRE·07:41 PM
Data Sourced
via MITRE·07:41 PM
DescriptionWeakness
Data Sourced
via NVD·08:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-33811?
CVE-2026-33811 is classified as a high severity vulnerability due to its potential to cause application crashes.
2
How do I fix CVE-2026-33811?
To fix CVE-2026-33811, upgrade to the latest version of the Google Go net package that addresses this issue.
3
What causes CVE-2026-33811?
CVE-2026-33811 is caused by a double-free of C memory when handling excessively long CNAME responses using the cgo DNS resolver.
4
Which versions of the Google Go net package are affected by CVE-2026-33811?
Versions of the Google Go net package prior to the security update that addresses CVE-2026-33811 are affected.
5
What kind of impact does CVE-2026-33811 have on applications?
CVE-2026-33811 can lead to application crashes, resulting in potential downtime and disruption of service.