Fluid Attacks Database

Description

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	golang.org/x/sys	>=0 <0.44.0	0.44.0

Aliases

1. CVE-2026-398242. NVD-2026-398243. OSV-GO-2026-50244. OSV-2026-398245. GCVE-2026-39824

References

1. https://go.dev/issue/789162. https://go.dev/cl/7700803. https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.