CVE-2026-39824

NameCVE-2026-39824
DescriptionNewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-golang-x-sys (PTS)bullseye0.0~git20210124.22da62e-1fixed
bookworm0.3.0-1fixed
trixie0.22.0-1fixed
forky, sid0.42.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-golang-x-syssource(unstable)(not affected)

Notes

- golang-golang-x-sys <not-affected> (Only affects golang.org/x/sys on Windows)
https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg
https://github.com/golang/go/issues/78916
Search for package or bug name: Reporting problems