Vulnerability-Lookup

WID-SEC-W-2026-1006

Vulnerability from csaf_certbund - Published: 2026-04-07 22:00 - Updated: 2026-05-20 22:00

Summary

Golang Go: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Go ist eine quelloffene Programmiersprache.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um Speicherbeschädigungen zu verursachen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand auszulösen oder andere, nicht näher spezifizierte Angriffe durchzuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-27140

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-27143

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-27144

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-32280

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-32281

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-32282

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-32283

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-32288

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-32289

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

CVE-2026-33810

Affected products

Known affected 15 products

Product	Identifier	Version
Red Hat Enterprise Linux 10 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Golang Go <1.25.9 Golang / Go		<1.25.9
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Golang Go <1.26.2 Golang / Go		<1.26.2
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6

References

113 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://groups.google.com/g/golang-announce/c/0uY…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://msrc.microsoft.com/update-guide/	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://access.redhat.com/errata/RHSA-2026:10155	external
https://access.redhat.com/errata/RHSA-2026:10217	external
https://access.redhat.com/errata/RHSA-2026:10158	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://linux.oracle.com/errata/ELSA-2026-10219.html	external
https://linux.oracle.com/errata/ELSA-2026-10217.html	external
https://access.redhat.com/errata/RHSA-2026:11330	external
https://access.redhat.com/errata/RHSA-2026:11331	external
https://linux.oracle.com/errata/ELSA-2026-10704.html	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:11408	external
https://access.redhat.com/errata/RHSA-2026:11507	external
https://access.redhat.com/errata/RHSA-2026:11514	external
https://linux.oracle.com/errata/ELSA-2026-11514.html	external
https://linux.oracle.com/errata/ELSA-2026-11507.html	external
https://linux.oracle.com/errata/ELSA-2026-11704.html	external
https://linux.oracle.com/errata/ELSA-2026-11711.html	external
https://access.redhat.com/errata/RHSA-2026:11688	external
https://access.redhat.com/errata/RHSA-2026:11704	external
https://access.redhat.com/errata/RHSA-2026:11712	external
https://access.redhat.com/errata/RHSA-2026:11803	external
https://access.redhat.com/errata/RHSA-2026:11863	external
https://access.redhat.com/errata/RHSA-2026:11881	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://linux.oracle.com/errata/ELSA-2026-11712.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3259.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3260.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3265.html	external
https://access.redhat.com/errata/RHSA-2026:7385	external
https://docs.cloud.google.com/container-optimized…	external
http://linux.oracle.com/errata/ELSA-2026-11881.html	external
https://access.redhat.com/errata/RHSA-2026:13545	external
https://lists.opensuse.org/archives/list/security…	external
https://access.redhat.com/errata/RHSA-2026:13826	external
https://access.redhat.com/errata/RHSA-2026:14162	external
https://access.redhat.com/errata/RHSA-2026:14391	external
https://linux.oracle.com/errata/ELSA-2026-14200.html	external
https://errata.build.resf.org/RLSA-2026:11704	external
https://errata.build.resf.org/RLSA-2026:11514	external
https://access.redhat.com/errata/RHSA-2026:14200	external
https://errata.build.resf.org/RLSA-2026:11507	external
https://errata.build.resf.org/RLSA-2026:10704	external
https://errata.build.resf.org/RLSA-2026:10219	external
https://errata.build.resf.org/RLSA-2026:10217	external
https://errata.build.resf.org/RLSA-2026:11881	external
https://errata.build.resf.org/RLSA-2026:11712	external
https://access.redhat.com/errata/RHSA-2026:14020	external
https://errata.build.resf.org/RLSA-2026:11711	external
https://errata.build.resf.org/RLSA-2026:14200	external
https://access.redhat.com/errata/RHSA-2026:16101	external
https://access.redhat.com/errata/RHSA-2026:16102	external
https://access.redhat.com/errata/RHSA-2026:16021	external
https://access.redhat.com/errata/RHSA-2026:15980	external
https://access.redhat.com/errata/RHSA-2026:16024	external
https://access.redhat.com/errata/RHSA-2026:16476	external
https://access.redhat.com/errata/RHSA-2026:16477	external
https://access.redhat.com/errata/RHSA-2026:16508	external
https://access.redhat.com/errata/RHSA-2026:16535	external
https://access.redhat.com/errata/RHSA-2026:16505	external
https://access.redhat.com/errata/RHSA-2026:16694	external
https://access.redhat.com/errata/RHSA-2026:16697	external
https://access.redhat.com/errata/RHSA-2026:16698	external
https://access.redhat.com/errata/RHSA-2026:16875	external
http://linux.oracle.com/errata/ELSA-2026-17075.html	external
https://access.redhat.com/errata/RHSA-2026:17075	external
https://access.redhat.com/errata/RHSA-2026:17287	external
https://access.redhat.com/errata/RHSA-2026:17084	external
https://access.redhat.com/errata/RHSA-2026:16874	external
http://linux.oracle.com/errata/ELSA-2026-16875.html	external
https://errata.build.resf.org/RLSA-2026:16875	external
https://access.redhat.com/errata/RHSA-2026:18032	external
https://access.redhat.com/errata/RHSA-2026:18027	external
https://errata.build.resf.org/RLSA-2026:17075	external
https://access.redhat.com/errata/RHSA-2026:19352	external
https://access.redhat.com/errata/RHSA-2026:19156	external
https://access.redhat.com/errata/RHSA-2026:19351	external
https://access.redhat.com/errata/RHSA-2026:19353	external
https://access.redhat.com/errata/RHSA-2026:19136	external
https://access.redhat.com/errata/RHSA-2026:19450	external
https://access.redhat.com/errata/RHSA-2026:19133	external
https://access.redhat.com/errata/RHSA-2026:19132	external
https://access.redhat.com/errata/RHSA-2026:19144	external
https://access.redhat.com/errata/RHSA-2026:19139	external
https://access.redhat.com/errata/RHSA-2026:19375	external
https://access.redhat.com/errata/RHSA-2026:19350	external
https://access.redhat.com/errata/RHSA-2026:19137	external
https://access.redhat.com/errata/RHSA-2026:19135	external
https://access.redhat.com/errata/RHSA-2026:19126	external
https://access.redhat.com/errata/RHSA-2026:19369	external
https://access.redhat.com/errata/RHSA-2026:19550	external
https://access.redhat.com/errata/RHSA-2026:19721	external
https://access.redhat.com/errata/RHSA-2026:19634	external
https://access.redhat.com/errata/RHSA-2026:19839	external
https://access.redhat.com/errata/RHSA-2026:19750	external
https://access.redhat.com/errata/RHSA-2026:19722	external
https://access.redhat.com/errata/RHSA-2026:19720	external
https://access.redhat.com/errata/RHSA-2026:19719	external
https://access.redhat.com/errata/RHSA-2026:19715	external
https://access.redhat.com/errata/RHSA-2026:19714	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Go ist eine quelloffene Programmiersprache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um Speicherbesch\u00e4digungen zu verursachen, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand auszul\u00f6sen oder andere, nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1006 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1006.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1006 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1006"
      },
      {
        "category": "external",
        "summary": "Go 1.26.2 and Go 1.25.9 releases vom 2026-04-07",
        "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10514-1 vom 2026-04-10",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BIFYJ3KCIJYPIKUGNHN2MS6KKEB6TGGF/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1320-1 vom 2026-04-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025336.html"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-04-14",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1321-1 vom 2026-04-14",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025335.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20570-1 vom 2026-04-21",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SQT5EUOF2E2KJWKJ36C75FCCQIOCQMQL/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20571-1 vom 2026-04-21",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RQFYGQRFE62FS4PPTIBWFMAPVOHKEBWJ/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10155 vom 2026-04-23",
        "url": "https://access.redhat.com/errata/RHSA-2026:10155"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10217 vom 2026-04-23",
        "url": "https://access.redhat.com/errata/RHSA-2026:10217"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10158 vom 2026-04-23",
        "url": "https://access.redhat.com/errata/RHSA-2026:10158"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1581-1 vom 2026-04-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025608.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1580-1 vom 2026-04-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025609.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-10219 vom 2026-04-24",
        "url": "https://linux.oracle.com/errata/ELSA-2026-10219.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-10217 vom 2026-04-24",
        "url": "https://linux.oracle.com/errata/ELSA-2026-10217.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11330 vom 2026-04-28",
        "url": "https://access.redhat.com/errata/RHSA-2026:11330"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11331 vom 2026-04-28",
        "url": "https://access.redhat.com/errata/RHSA-2026:11331"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-10704 vom 2026-04-28",
        "url": "https://linux.oracle.com/errata/ELSA-2026-10704.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21356-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025747.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21355-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025748.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11408 vom 2026-04-28",
        "url": "https://access.redhat.com/errata/RHSA-2026:11408"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11507 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11507"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11514 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11514"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-11514 vom 2026-04-30",
        "url": "https://linux.oracle.com/errata/ELSA-2026-11514.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-11507 vom 2026-04-30",
        "url": "https://linux.oracle.com/errata/ELSA-2026-11507.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-11704 vom 2026-04-30",
        "url": "https://linux.oracle.com/errata/ELSA-2026-11704.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-11711 vom 2026-04-30",
        "url": "https://linux.oracle.com/errata/ELSA-2026-11711.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11688 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11688"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11704 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11704"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11712 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11712"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11803 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11803"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11863 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11863"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11881 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11881"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-111 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-111.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-097 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-097.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-098 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-098.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-112 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-112.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-11712 vom 2026-04-30",
        "url": "https://linux.oracle.com/errata/ELSA-2026-11712.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3259 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3259.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3260 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3260.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3265 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3265.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:7385 vom 2026-05-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:7385"
      },
      {
        "category": "external",
        "summary": "Container-Optimized OS release notes vom 2026-05-02",
        "url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#May_01_2026"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-11881 vom 2026-05-01",
        "url": "http://linux.oracle.com/errata/ELSA-2026-11881.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13545 vom 2026-05-04",
        "url": "https://access.redhat.com/errata/RHSA-2026:13545"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10673-1 vom 2026-05-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q3OZSPPM6XK6DDXQVFJ4HPEX7OWUAW42/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13826 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13826"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14162 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14162"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14391 vom 2026-05-07",
        "url": "https://access.redhat.com/errata/RHSA-2026:14391"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-14200 vom 2026-05-07",
        "url": "https://linux.oracle.com/errata/ELSA-2026-14200.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:11704 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:11704"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:11514 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:11514"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14200 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14200"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:11507 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:11507"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:10704 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:10704"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:10219 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:10219"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:10217 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:10217"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:11881 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:11881"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:11712 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:11712"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14020 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14020"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:11711 vom 2026-05-06",
        "url": "https://errata.build.resf.org/RLSA-2026:11711"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:14200 vom 2026-05-08",
        "url": "https://errata.build.resf.org/RLSA-2026:14200"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16101 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16101"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16102 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16102"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16021 vom 2026-05-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:16021"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:15980 vom 2026-05-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:15980"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16024 vom 2026-05-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:16024"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16476 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16476"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16477 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16477"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16508 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16508"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16535 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16535"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16505 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16505"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16694 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16694"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16697 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16697"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16698 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16698"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16875 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16875"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-17075 vom 2026-05-15",
        "url": "http://linux.oracle.com/errata/ELSA-2026-17075.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17075 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:17075"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17287 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:17287"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17084 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:17084"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16874 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16874"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-16875 vom 2026-05-15",
        "url": "http://linux.oracle.com/errata/ELSA-2026-16875.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:16875 vom 2026-05-14",
        "url": "https://errata.build.resf.org/RLSA-2026:16875"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18032 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18032"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18027 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18027"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:17075 vom 2026-05-16",
        "url": "https://errata.build.resf.org/RLSA-2026:17075"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19352 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19352"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19156 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19156"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19351 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19351"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19353 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19353"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19136 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19136"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19450 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19450"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19133 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19133"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19132 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19132"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19144 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19144"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19139 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19139"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19375 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19375"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19350 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19350"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19137 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19137"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19135 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19135"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19126 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19126"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19369 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19369"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19550 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19550"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19721 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19721"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19634 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19634"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19839 vom 2026-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2026:19839"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19750 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19750"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19722 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19722"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19720 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19720"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19719 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19719"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19715 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19715"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19714 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19714"
      }
    ],
    "source_lang": "en-US",
    "title": "Golang Go: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:57:02.875+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1006",
      "initial_release_date": "2026-04-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-09T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: 2456336"
        },
        {
          "date": "2026-04-12T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-21T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-23T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-04-27T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE und Red Hat aufgenommen"
        },
        {
          "date": "2026-04-29T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Oracle Linux, Red Hat und Amazon aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
        },
        {
          "date": "2026-05-04T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von openSUSE und Red Hat aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Red Hat, Oracle Linux und Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Oracle Linux, Red Hat und Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-05-17T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat und Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "21"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.26.2",
                "product": {
                  "name": "Golang Go \u003c1.26.2",
                  "product_id": "T052518"
                }
              },
              {
                "category": "product_version",
                "name": "1.26.2",
                "product": {
                  "name": "Golang Go 1.26.2",
                  "product_id": "T052518-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.26.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.25.9",
                "product": {
                  "name": "Golang Go \u003c1.25.9",
                  "product_id": "T052519"
                }
              },
              {
                "category": "product_version",
                "name": "1.25.9",
                "product": {
                  "name": "Golang Go 1.25.9",
                  "product_id": "T052519-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.25.9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Go"
          }
        ],
        "category": "vendor",
        "name": "Golang"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Google Container-Optimized OS",
            "product": {
              "name": "Google Container-Optimized OS",
              "product_id": "1607324",
              "product_identification_helper": {
                "cpe": "cpe:/o:google:container-optimized_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "10",
                "product": {
                  "name": "Red Hat Enterprise Linux 10",
                  "product_id": "T054023",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "10.0 Extended Update Support",
                "product": {
                  "name": "Red Hat Enterprise Linux 10.0 Extended Update Support",
                  "product_id": "T054025",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10.0_extended_update_support"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9.6 Extended Update Support",
                "product": {
                  "name": "Red Hat Enterprise Linux 9.6 Extended Update Support",
                  "product_id": "T054028",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:9.6_extended_update_support"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Service Mesh 2.6",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh 2.6",
                  "product_id": "T049215",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:service_mesh_2.6"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Network Observability 1.11.2",
                "product": {
                  "name": "Red Hat OpenShift Network Observability 1.11.2",
                  "product_id": "T054021",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:network_observability_1.11.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenShift"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27140",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-27140"
    },
    {
      "cve": "CVE-2026-27143",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-27143"
    },
    {
      "cve": "CVE-2026-27144",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-27144"
    },
    {
      "cve": "CVE-2026-32280",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32280"
    },
    {
      "cve": "CVE-2026-32281",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32281"
    },
    {
      "cve": "CVE-2026-32282",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32282"
    },
    {
      "cve": "CVE-2026-32283",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32283"
    },
    {
      "cve": "CVE-2026-32288",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32288"
    },
    {
      "cve": "CVE-2026-32289",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-32289"
    },
    {
      "cve": "CVE-2026-33810",
      "product_status": {
        "known_affected": [
          "T054023",
          "T054021",
          "67646",
          "T004914",
          "T054028",
          "T032255",
          "T054025",
          "T052519",
          "T002207",
          "T052518",
          "T027843",
          "398363",
          "T049210",
          "1607324",
          "T049215"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-33810"
    }
  ]
}

CVE-2026-27140 (GCVE-0-2026-27140)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 13:22

Title

Code execution vulnerability in SWIG code generation in cmd/go

Summary

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-501 - Trust Boundary Violation

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763768
https://go.dev/issue/78335
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4871

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/go	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Juho Forsén of Mattermost

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27140",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T03:55:58.901718Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T13:22:34.117Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juho Fors\u00e9n of Mattermost"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SWIG file names containing \u0027cgo\u0027 and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-501: Trust Boundary Violation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:57.893Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763768"
        },
        {
          "url": "https://go.dev/issue/78335"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4871"
        }
      ],
      "title": "Code execution vulnerability in SWIG code generation in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27140",
    "datePublished": "2026-04-08T01:06:57.893Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-04-13T13:22:34.117Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27143 (GCVE-0-2026-27143)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

Missing bound checks can lead to memory corruption in safe Go in cmd/compile

Summary

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763765
https://go.dev/issue/78333
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4868

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/compile	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27143",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:50:24.131708Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:17.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/compile",
          "product": "cmd/compile",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:57.168Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763765"
        },
        {
          "url": "https://go.dev/issue/78333"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4868"
        }
      ],
      "title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27143",
    "datePublished": "2026-04-08T01:06:57.168Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-04-13T18:20:17.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27144 (GCVE-0-2026-27144)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile

Summary

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

Severity

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-440 - Expected Behavior Violation

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763764
https://go.dev/issue/78371
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4867

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/compile	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27144",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:49:47.300247Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:28.098Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/compile",
          "product": "cmd/compile",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:56.908Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763764"
        },
        {
          "url": "https://go.dev/issue/78371"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4867"
        }
      ],
      "title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27144",
    "datePublished": "2026-04-08T01:06:56.908Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-04-13T18:20:28.098Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32280 (GCVE-0-2026-32280)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-08 17:46

Title

Unexpected work during chain building in crypto/x509

Summary

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4947

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32280",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T17:46:14.569488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T17:46:47.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.buildChains"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.595Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758320"
        },
        {
          "url": "https://go.dev/issue/78282"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "title": "Unexpected work during chain building in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32280",
    "datePublished": "2026-04-08T01:06:58.595Z",
    "dateReserved": "2026-03-11T16:38:46.555Z",
    "dateUpdated": "2026-04-08T17:46:47.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32281 (GCVE-0-2026-32281)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19

Title

Inefficient policy validation in crypto/x509

Summary

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758061
https://go.dev/issue/78281
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4946

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:52:37.734298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:19:44.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "policiesValid"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758061"
        },
        {
          "url": "https://go.dev/issue/78281"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "title": "Inefficient policy validation in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32281",
    "datePublished": "2026-04-08T01:06:58.354Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:19:44.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32282 (GCVE-0-2026-32282)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Summary

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Severity

6.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763761
https://go.dev/issue/78293
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4864

Impacted products

1 product

Vendor	Product	Version
Go standard library	internal/syscall/unix	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Uuganbayar Lkhamsuren (https://github.com/uug4na)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32282",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:47:42.666766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:56.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "internal/syscall/unix",
          "platforms": [
            "linux"
          ],
          "product": "internal/syscall/unix",
          "programRoutines": [
            {
              "name": "Fchmodat"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Uuganbayar Lkhamsuren (https://github.com/uug4na)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:55.953Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763761"
        },
        {
          "url": "https://go.dev/issue/78293"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4864"
        }
      ],
      "title": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32282",
    "datePublished": "2026-04-08T01:06:55.953Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:20:56.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32283 (GCVE-0-2026-32283)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19

Title

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

Summary

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763767
https://go.dev/issue/78334
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4870

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/tls	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev/

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32283",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:51:46.207289Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:19:55.848Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "Conn.handleKeyUpdate"
            },
            {
              "name": "clientHandshakeStateTLS13.establishHandshakeKeys"
            },
            {
              "name": "clientHandshakeStateTLS13.readServerFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerParameters"
            },
            {
              "name": "serverHandshakeStateTLS13.readClientFinished"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.HandleData"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-667: Improper Locking",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:57.670Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763767"
        },
        {
          "url": "https://go.dev/issue/78334"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4870"
        }
      ],
      "title": "Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32283",
    "datePublished": "2026-04-08T01:06:57.670Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:19:55.848Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32288 (GCVE-0-2026-32288)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

Unbounded allocation for old GNU sparse in archive/tar

Summary

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763766
https://go.dev/issue/78301
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4869

Impacted products

1 product

Vendor	Product	Version
Go standard library	archive/tar	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Colin Walters (walters@verbum.org) Uuganbayar Lkhamsuren (https://github.com/uug4na) Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32288",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:51:05.649111Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:08.191Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/tar",
          "product": "archive/tar",
          "programRoutines": [
            {
              "name": "Reader.readOldGNUSparseMap"
            },
            {
              "name": "readGNUSparseMap1x0"
            },
            {
              "name": "Reader.Next"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Colin Walters (walters@verbum.org)"
        },
        {
          "lang": "en",
          "value": "Uuganbayar Lkhamsuren (https://github.com/uug4na)"
        },
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the \"old GNU sparse map\" format."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:57.416Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763766"
        },
        {
          "url": "https://go.dev/issue/78301"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4869"
        }
      ],
      "title": "Unbounded allocation for old GNU sparse in archive/tar"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32288",
    "datePublished": "2026-04-08T01:06:57.416Z",
    "dateReserved": "2026-03-11T16:38:46.557Z",
    "dateUpdated": "2026-04-13T18:20:08.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32289 (GCVE-0-2026-32289)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

JsBraceDepth Context Tracking Bugs (XSS) in html/template

Summary

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763762
https://go.dev/issue/78331
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4865

Impacted products

1 product

Vendor	Product	Version
Go standard library	html/template	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32289",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:48:22.714020Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:46.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "html/template",
          "product": "html/template",
          "programRoutines": [
            {
              "name": "context.String"
            },
            {
              "name": "context.mangle"
            },
            {
              "name": "escaper.escapeBranch"
            },
            {
              "name": "Error.Error"
            },
            {
              "name": "HTMLEscaper"
            },
            {
              "name": "JSEscape"
            },
            {
              "name": "JSEscapeString"
            },
            {
              "name": "JSEscaper"
            },
            {
              "name": "ParseFS"
            },
            {
              "name": "ParseFiles"
            },
            {
              "name": "ParseGlob"
            },
            {
              "name": "Template.AddParseTree"
            },
            {
              "name": "Template.Clone"
            },
            {
              "name": "Template.DefinedTemplates"
            },
            {
              "name": "Template.Execute"
            },
            {
              "name": "Template.ExecuteTemplate"
            },
            {
              "name": "Template.Funcs"
            },
            {
              "name": "Template.Parse"
            },
            {
              "name": "Template.ParseFS"
            },
            {
              "name": "Template.ParseFiles"
            },
            {
              "name": "Template.ParseGlob"
            },
            {
              "name": "URLQueryEscaper"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:56.297Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763762"
        },
        {
          "url": "https://go.dev/issue/78331"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4865"
        }
      ],
      "title": "JsBraceDepth Context Tracking Bugs (XSS) in html/template"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32289",
    "datePublished": "2026-04-08T01:06:56.297Z",
    "dateReserved": "2026-03-11T16:38:46.557Z",
    "dateUpdated": "2026-04-13T18:20:46.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33810 (GCVE-0-2026-33810)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-20 17:23

Title

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

Summary

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763763
https://go.dev/issue/78332
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4866

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Riyas from Saintgits College of Engineering k1rnt @1seal

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33810",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:48:57.879958Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:37.411Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-20T17:23:21.823Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/19/4"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/20/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "newDNSConstraints"
            },
            {
              "name": "dnsConstraints.query"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Riyas from Saintgits College of Engineering"
        },
        {
          "lang": "en",
          "value": "k1rnt"
        },
        {
          "lang": "en",
          "value": "@1seal"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:56.546Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763763"
        },
        {
          "url": "https://go.dev/issue/78332"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4866"
        }
      ],
      "title": "Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33810",
    "datePublished": "2026-04-08T01:06:56.546Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-04-20T17:23:21.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1006

CVE-2026-27140 (GCVE-0-2026-27140)

CVE-2026-27143 (GCVE-0-2026-27143)

CVE-2026-27144 (GCVE-0-2026-27144)

CVE-2026-32280 (GCVE-0-2026-32280)

CVE-2026-32281 (GCVE-0-2026-32281)

CVE-2026-32282 (GCVE-0-2026-32282)

CVE-2026-32283 (GCVE-0-2026-32283)

CVE-2026-32288 (GCVE-0-2026-32288)

CVE-2026-32289 (GCVE-0-2026-32289)

CVE-2026-33810 (GCVE-0-2026-33810)

Tags

Sightings

Nomenclature