This update for go1.26 fixes the following issues
Security issues:
- CVE-2026-33811: net: crash when handling long CNAME response (bsc#1264508).
- CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1264506).
- CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths (bsc#1264505).
- CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames (bsc#1264504).
- CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment (bsc#1264503).
- CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509).
- CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
(bsc#1264500).
- CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507).
- CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows (bsc#1264501).
- CVE-2026-42499: net/mail: quadratic string...
Read the Full Advisory- openSUSE Leap 16.0:
go1.26-1.26.3-160000.1.1
go1.26-doc-1.26.3-160000.1.1
go1.26-libstd-1.26.3-160000.1.1
go1.26-race-1.26.3-160000.1.1
* bsc#1170826
* bsc#1255111
* bsc#1264499
* bsc#1264500
* bsc#1264501
* bsc#1264502
* bsc#1264503
* bsc#1264504
* bsc#1264505
* bsc#1264506
* bsc#1264507
* bsc#1264508
* bsc#1264509
References:
* https://www.suse.com/security/cve/CVE-2026-33811.html
* https://www.suse.com/security/cve/CVE-2026-33814.html
* https://www.suse.com/security/cve/CVE-2026-39817.html
* https://www.suse.com/security/cve/CVE-2026-39819.html
* https://www.suse.com/security/cve/CVE-2026-39820.html
* https://www.suse.com/security/cve/CVE-2026-39823.html
* https://www.suse.com/security/cve/CVE-2026-39825.html
* https://www.suse.com/security/cve/CVE-2026-39826.html
* https://www.suse.com/security/cve/CVE-2026-39836.html
* https://www.suse.com/security/cve/CVE-2026-42499.html
* https://www.suse.com/security/cve/CVE-2026-42501.html
Get the latest Linux and open source security news straight to your inbox.