CVE-2026-39824

low

Published 2026-05-22 · Modified 2026-05-22

CVSS v3

3.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v2

—

VIR risk

3.3

Description

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Predictions

Exploit likelihood

34%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-39824

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`0`
debian	bullseye	fixed	`0`
debian	forky	fixed	`0`
debian	sid	fixed	`0`
debian	trixie	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	golang.org/x/sys	`<0.44.0`	`0.44.0`

References

https://go.dev/issue/78916
https://go.dev/cl/770080
https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg
https://pkg.go.dev/vuln/GO-2026-5024
https://security-tracker.debian.org/tracker/CVE-2026-39824

CWEs

CWE-190: CWE-190

Verify integrity in audit chain (admin only). AS-IS.