News KrakenD Partners with Digital Platform Solutions to Expand Reach in Pakistan

CVE-2026-39836 Medium False Positive

net: Panic in Dial and LookupPort on Windows via NUL Byte

This CVE does not affect KrakenD

This vulnerability is specific to the Windows platform. KrakenD is primarily deployed on Linux (including containers), where this code path is not triggered. The NUL byte handling issue in net does not affect Linux-based deployments. The dependency was upgraded as a precaution.

Addressed through routine dependency maintenance in CE 2.13.5 and EE 2.13.3.

Component

Go standard library (net)

Disclosed

May 11, 2026

Description

Go’s net package panics in Dial and LookupPort when a network address containing a NUL byte is processed on Windows. An attacker able to supply a network address with an embedded NUL character can crash the Go process.

References

View CVE-2026-39836 on Go Issue Tracker

Stay up to date with KrakenD releases and important updates