CVE-2026-39824

Publication date 22 May 2026

Last updated 2 June 2026


Ubuntu priority

Cvss 3 Severity Score

3.3 · Low

Score breakdown

Description

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Read the notes from the security team

Status

Package Ubuntu Release Status
golang-golang-x-sys 26.04 LTS resolute
Needs evaluation
25.10 questing Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
google-guest-agent 26.04 LTS resolute
Needs evaluation
25.10 questing Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation

Notes


alexmurray

google-guest-agent contains a vendored copy of golang-golang-x-sys

Severity score breakdown

CVSS version: CVSS v3.0

Base score 3.3 · Low

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N


Access our resources on patching vulnerabilities