MGASA-2026-0035
Advisory lineage Upstream: 7 Downstream: 0
Published: 11 Feb 2026, 17:56
Last modified:16 Apr 2026, 04:19
Vulnerability Summary
Overall Risk (default)
minimal
0/100 CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
11 Feb 2026, 17:56
Published
Vulnerability first disclosed
16 Apr 2026, 04:19
Last Modified
Vulnerability information updated
Description
Updated golang packages fix security vulnerabilities net/http: memory exhaustion in Request.ParseForm. (CVE-2025-61726) archive/zip: denial of service when parsing arbitrary ZIP archives. (CVE-2025-61728) crypto/tls: handshake messages may be processed at the incorrect encryption level. (CVE-2025-61730) cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (CVE-2025-61731) Potential code smuggling via doc comments in cmd/cgo. (CVE-2025-61732) cmd/go: unexpected code execution when invoking toolchain. (CVE-2025-68119) crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (CVE-2025-68121)
Affected Systems
- mageia•golang
< 1.24.13-1.mga9
References (8)
- https://advisories.mageia.org/MGASA-2026-0035.html
- https://bugs.mageia.org/show_bug.cgi?id=35007
- https://www.openwall.com/lists/oss-security/2026/01/15/3
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- https://openwall.com/lists/oss-security/2026/01/17/2
- https://openwall.com/lists/oss-security/2026/01/17/3
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NH2ETRY5I4475P2G36TA426YNBGAZLJM/
- https://www.openwall.com/lists/oss-security/2026/02/07/2