Go Programming Language 1.26 Patches Multiple Vulnerabilities Causing Memory Exhaustion
.webp "Go Programming Language 1.26 Patches Multiple Vulnerabilities Causing Memory Exhaustion")
The Go programming language team has released security updates for versions 1.25.6 and 1.24.12, addressing six critical vulnerabilities spanning denial-of-service attacks, memory exhaustion, and arbitrary code execution.
These patches follow Go’s PRIVATE track security policy, which handles violations of committed security properties through scheduled minor releases.
Memory Exhaustion and DoS Vulnerabilities Patched
The most severe flaw affects the archive/zip package (CVE-2025-61728), where a super-linear file name indexing algorithm triggers when opening files in ZIP archives.
Attackers can craft malicious archives causing denial-of-service through computational exhaustion. Security researcher Jakub Ciolek discovered this vulnerability, which has been resolved in the latest releases.
A second memory exhaustion issue (CVE-2025-61726) impacts net/http’s Request parseForm function.
When processing URL-encoded forms with large numbers of key-value pairs, the parser allocates excessive memory, leading to DoS conditions.
Researcher jub0bs reported this vulnerability, prompting immediate mitigation in the patched versions.
The crypto/TLS module contained three distinct vulnerabilities. CVE-2025-68121 addressed Config. Clone improperly copies automatically generated session ticket keys, allowing unauthorized session resumption.
Additionally, the server-side implementation only verified leaf certificate expiration during session resumption, ignoring expired intermediate or root certificates. Both issues were reported by Coia Prant.
| CVE ID | Component | Impact | Reporter |
| CVE-2025-61728 | archive/zip | DoS via malicious ZIP archives | Jakub Ciolek |
| CVE-2025-61726 | net/http | Memory exhaustion in ParseForm | jub0bs |
| CVE-2025-68121 | crypto/tls | Unauthorized session resumption | Coia Prant |
| CVE-2025-61731 | cmd/go | Arbitrary code execution via CgoPkgConfig | RyotaK |
| CVE-2025-68119 | cmd/go | Code execution via VCS commands | splitline |
| CVE-2025-61730 | crypto/tls | Information disclosure in handshake | Coia Prant |
A third TLS flaw (CVE-2025-61730) allowed handshake messages to be processed at incorrect encryption levels when multiple messages span encryption boundaries, potentially exposing information to network-local attackers.
Two critical toolchain vulnerabilities enabled arbitrary code execution. CVE-2025-61731 affected CgoPkgConfig, where unsanitized compiler flags could execute pkg-config with malicious parameters. RyotaK from GMO Flatt Security Inc. identified this bypass of flag sanitization.
CVE-2025-68119 impacted the Go toolchain’s VCS integration. Systems with Mercurial or Git installed could execute arbitrary code when downloading modules from non-standard sources or building modules with malicious version strings.
The toolchain now disallows version strings prefixed with “-” or “/” characters. This vulnerability was discovered by Splitline from the DEVCORE Research Team. lnerability was discovered by splitline from DEVCORE Research Team.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
link
