OPENSUSE-SU-2026:20570-1
Vulnerability Summary
Timeline
Description
Security update for go1.25 This update for go1.25 fixes the following issues: - Update to version go1.25.9 (bsc#1244485). - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653). - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654). - CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655). - CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656). - CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657). - CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658). - CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock (bsc#1261659). - CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660). - CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661).
Affected Systems
- opensuse•go1.25&distro=openSUSE Leap 16.0
< 1.25.9-160000.1.1
References (19)
- https://bugzilla.suse.com/1244485
- https://bugzilla.suse.com/1261653
- https://bugzilla.suse.com/1261654
- https://bugzilla.suse.com/1261655
- https://bugzilla.suse.com/1261656
- https://bugzilla.suse.com/1261657
- https://bugzilla.suse.com/1261658
- https://bugzilla.suse.com/1261659
- https://bugzilla.suse.com/1261660
- https://bugzilla.suse.com/1261661
- https://www.suse.com/security/cve/CVE-2026-27140
- https://www.suse.com/security/cve/CVE-2026-27143
- https://www.suse.com/security/cve/CVE-2026-27144
- https://www.suse.com/security/cve/CVE-2026-32280
- https://www.suse.com/security/cve/CVE-2026-32281
- https://www.suse.com/security/cve/CVE-2026-32282
- https://www.suse.com/security/cve/CVE-2026-32283
- https://www.suse.com/security/cve/CVE-2026-32288
- https://www.suse.com/security/cve/CVE-2026-32289