rpms/go1.24

Fork 0

[security][CRITICAL] go1.24 1.24.11: 18 CVE require triage #1

New issue

Open

opened 2026-05-25 20:43:21 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-05-25 20:43:21 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: go1.24
Version: 1.24.11
EVR: 1.24.11-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: CRITICAL
Max CVSS: 10.0
CVE count: 18
Included NiceOS statuses: needs_triage
Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета go1.24 1.24.11 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-61726, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for go1.24 1.24.11: CVE-2025-61726, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Reason
CVE-2025-68121	CRITICAL	10.0	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-27143	CRITICAL	9.8	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-27140	HIGH	8.8	cpe-range	78	needs_triage	package version is inside version range
CVE-2025-61732	HIGH	8.6	cpe-range	78	needs_triage	package version is inside version range
CVE-2025-61731	HIGH	7.8	cpe-range	78	needs_triage	package version is inside version range
CVE-2025-61726	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-25679	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-32280	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-32281	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-32283	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-33811	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-33814	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-39820	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-39836	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-42499	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-42501	HIGH	7.5	cpe-range	78	needs_triage	package version is inside version range
CVE-2026-27144	HIGH	7.1	cpe-range	78	needs_triage	package version is inside version range
CVE-2025-68119	HIGH	7.0	cpe-range	78	needs_triage	package version is inside version range

Descriptions

CVE-2025-68121

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

CVE-2026-27143

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

CVE-2026-27140

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2025-61732

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

CVE-2025-61731

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

CVE-2025-61726

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

CVE-2026-25679

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-32280

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

CVE-2026-32281

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

CVE-2026-32283

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

CVE-2026-33811

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

CVE-2026-33814

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

CVE-2026-39820

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

CVE-2026-39836

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

CVE-2026-42499

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

CVE-2026-42501

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go
...[truncated]

CVE-2026-27144

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-61726",
    "CVE-2025-61731",
    "CVE-2025-61732",
    "CVE-2025-68119",
    "CVE-2025-68121",
    "CVE-2026-25679",
    "CVE-2026-27140",
    "CVE-2026-27143",
    "CVE-2026-27144",
    "CVE-2026-32280",
    "CVE-2026-32281",
    "CVE-2026-32283",
    "CVE-2026-33811",
    "CVE-2026-33814",
    "CVE-2026-39820",
    "CVE-2026-39836",
    "CVE-2026-42499",
    "CVE-2026-42501"
  ],
  "fingerprint": "8183e7df381e19e868d8",
  "generated_at": "2026-05-25T17:43:19Z",
  "match_ids": [
    1321,
    1324,
    1325,
    1326,
    1327,
    1328,
    1331,
    1332,
    1333,
    1334,
    1335,
    1337,
    1340,
    1341,
    1344,
    1348,
    1349,
    1350
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "go1.24",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "1.24.11"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `go1.24` - Version: `1.24.11` - EVR: `1.24.11-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `CRITICAL` - Max CVSS: `10.0` - CVE count: `18` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета go1.24 1.24.11 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-61726, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for go1.24 1.24.11: CVE-2025-61726, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2025-68121 | CRITICAL | 10.0 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-27143 | CRITICAL | 9.8 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-27140 | HIGH | 8.8 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2025-61732 | HIGH | 8.6 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2025-61731 | HIGH | 7.8 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2025-61726 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-25679 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-32280 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-32281 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-32283 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-33811 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-33814 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-39820 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-39836 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-42499 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-42501 | HIGH | 7.5 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2026-27144 | HIGH | 7.1 | cpe-range | 78 | needs_triage | | | package version is inside version range | | CVE-2025-68119 | HIGH | 7.0 | cpe-range | 78 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2025-68121 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. ### CVE-2026-27143 Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. ### CVE-2026-27140 SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. ### CVE-2025-61732 A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. ### CVE-2025-61731 Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. ### CVE-2025-61726 The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. ### CVE-2026-25679 url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. ### CVE-2026-32280 During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. ### CVE-2026-32281 Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. ### CVE-2026-32283 If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. ### CVE-2026-33811 When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. ### CVE-2026-33814 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. ### CVE-2026-39820 Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. ### CVE-2026-39836 The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). ### CVE-2026-42499 Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. ### CVE-2026-42501 A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go ...[truncated] ### CVE-2026-27144 The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime. ### CVE-2025-68119 Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-61726", "CVE-2025-61731", "CVE-2025-61732", "CVE-2025-68119", "CVE-2025-68121", "CVE-2026-25679", "CVE-2026-27140", "CVE-2026-27143", "CVE-2026-27144", "CVE-2026-32280", "CVE-2026-32281", "CVE-2026-32283", "CVE-2026-33811", "CVE-2026-33814", "CVE-2026-39820", "CVE-2026-39836", "CVE-2026-42499", "CVE-2026-42501" ], "fingerprint": "8183e7df381e19e868d8", "generated_at": "2026-05-25T17:43:19Z", "match_ids": [ 1321, 1324, 1325, 1326, 1327, 1328, 1331, 1332, 1333, 1334, 1335, 1337, 1340, 1341, 1344, 1348, 1349, 1350 ], "match_types": [ "cpe-range" ], "package": "go1.24", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "1.24.11" } ```

sbelikov added the

labels

2026-05-25 20:43:21 +03:00