What is CVE-2026-39824?

CVE-2026-39824 is a low-severity vulnerability in Golang.org/x/sys Golang.org/x/sys/windows, classified under Integer Overflow or Wraparound. CVSS score: 3.3/10. Published 2026-05-22.

How severe is CVE-2026-39824?

Low severity. CVSS v3 base score is 3.3 out of 10.

Integer overflow in Golang.org/x/sys Golang.org/x/sys/windows

CVE-2026-39824

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Vulnerability class: Integer Overflow

EPSS: 0.000 (2.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.3 (Low). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Affected products

Golang.org/x/sys Golang.org/x/sys/windows — versions 0

Weakness classification (CWE)

CWE-190 — Integer Overflow or Wraparound

References

security@golang.org
security@golang.org
security@golang.org
security@golang.org

Frequently asked questions

What is CVE-2026-39824?: CVE-2026-39824 is a low-severity vulnerability in Golang.org/x/sys Golang.org/x/sys/windows, classified under Integer Overflow or Wraparound. CVSS score: 3.3/10. Published 2026-05-22.
How severe is CVE-2026-39824?: Low severity. CVSS v3 base score is 3.3 out of 10.