Vulnerability-Lookup

OPENSUSE-SU-2026:20077-1

Vulnerability from csaf_opensuse - Published: 2026-01-22 12:53 - Updated: 2026-01-22 12:53

Summary

Security update for go1.24

Notes

Title of the patch

Security update for go1.24

Description of the patch

This update for go1.24 fixes the following issues: Update to go1.24.12 (released 2026-01-15) (bsc#1236217) Security fixes: - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821). - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820). - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819). - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817). - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816). - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818). Other fixes: * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386 * go#76796 runtime: race detector crash on ppc64le * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range

Patchnames

openSUSE-Leap-16.0-166

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for go1.24",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for go1.24 fixes the following issues:\n\nUpdate to go1.24.12 (released 2026-01-15) (bsc#1236217)\n\nSecurity fixes:\n\n - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).\n - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).\n - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).\n - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).\n - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).\n - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).\n\nOther fixes:\n\n  * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled\n  * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes\n  * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386\n  * go#76796 runtime: race detector crash on ppc64le\n  * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling \u0026lt;function\u0026gt;: runtime error: index out of range\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-166",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20077-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1236217",
        "url": "https://bugzilla.suse.com/1236217"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256816",
        "url": "https://bugzilla.suse.com/1256816"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256817",
        "url": "https://bugzilla.suse.com/1256817"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256818",
        "url": "https://bugzilla.suse.com/1256818"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256819",
        "url": "https://bugzilla.suse.com/1256819"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256820",
        "url": "https://bugzilla.suse.com/1256820"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256821",
        "url": "https://bugzilla.suse.com/1256821"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-61726 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-61726/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-61728 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-61728/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-61730 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-61730/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-61731 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-61731/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68119 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68119/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68121 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68121/"
      }
    ],
    "title": "Security update for go1.24",
    "tracking": {
      "current_release_date": "2026-01-22T12:53:33Z",
      "generator": {
        "date": "2026-01-22T12:53:33Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:20077-1",
      "initial_release_date": "2026-01-22T12:53:33Z",
      "revision_history": [
        {
          "date": "2026-01-22T12:53:33Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.24-1.24.12-160000.1.1.aarch64",
                "product": {
                  "name": "go1.24-1.24.12-160000.1.1.aarch64",
                  "product_id": "go1.24-1.24.12-160000.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-doc-1.24.12-160000.1.1.aarch64",
                "product": {
                  "name": "go1.24-doc-1.24.12-160000.1.1.aarch64",
                  "product_id": "go1.24-doc-1.24.12-160000.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-libstd-1.24.12-160000.1.1.aarch64",
                "product": {
                  "name": "go1.24-libstd-1.24.12-160000.1.1.aarch64",
                  "product_id": "go1.24-libstd-1.24.12-160000.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-race-1.24.12-160000.1.1.aarch64",
                "product": {
                  "name": "go1.24-race-1.24.12-160000.1.1.aarch64",
                  "product_id": "go1.24-race-1.24.12-160000.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.24-1.24.12-160000.1.1.ppc64le",
                "product": {
                  "name": "go1.24-1.24.12-160000.1.1.ppc64le",
                  "product_id": "go1.24-1.24.12-160000.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-doc-1.24.12-160000.1.1.ppc64le",
                "product": {
                  "name": "go1.24-doc-1.24.12-160000.1.1.ppc64le",
                  "product_id": "go1.24-doc-1.24.12-160000.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-race-1.24.12-160000.1.1.ppc64le",
                "product": {
                  "name": "go1.24-race-1.24.12-160000.1.1.ppc64le",
                  "product_id": "go1.24-race-1.24.12-160000.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.24-1.24.12-160000.1.1.s390x",
                "product": {
                  "name": "go1.24-1.24.12-160000.1.1.s390x",
                  "product_id": "go1.24-1.24.12-160000.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-doc-1.24.12-160000.1.1.s390x",
                "product": {
                  "name": "go1.24-doc-1.24.12-160000.1.1.s390x",
                  "product_id": "go1.24-doc-1.24.12-160000.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-race-1.24.12-160000.1.1.s390x",
                "product": {
                  "name": "go1.24-race-1.24.12-160000.1.1.s390x",
                  "product_id": "go1.24-race-1.24.12-160000.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "go1.24-1.24.12-160000.1.1.x86_64",
                "product": {
                  "name": "go1.24-1.24.12-160000.1.1.x86_64",
                  "product_id": "go1.24-1.24.12-160000.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-doc-1.24.12-160000.1.1.x86_64",
                "product": {
                  "name": "go1.24-doc-1.24.12-160000.1.1.x86_64",
                  "product_id": "go1.24-doc-1.24.12-160000.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-libstd-1.24.12-160000.1.1.x86_64",
                "product": {
                  "name": "go1.24-libstd-1.24.12-160000.1.1.x86_64",
                  "product_id": "go1.24-libstd-1.24.12-160000.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "go1.24-race-1.24.12-160000.1.1.x86_64",
                "product": {
                  "name": "go1.24-race-1.24.12-160000.1.1.x86_64",
                  "product_id": "go1.24-race-1.24.12-160000.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-1.24.12-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64"
        },
        "product_reference": "go1.24-1.24.12-160000.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-1.24.12-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le"
        },
        "product_reference": "go1.24-1.24.12-160000.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-1.24.12-160000.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x"
        },
        "product_reference": "go1.24-1.24.12-160000.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-1.24.12-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64"
        },
        "product_reference": "go1.24-1.24.12-160000.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-doc-1.24.12-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64"
        },
        "product_reference": "go1.24-doc-1.24.12-160000.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-doc-1.24.12-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le"
        },
        "product_reference": "go1.24-doc-1.24.12-160000.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-doc-1.24.12-160000.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x"
        },
        "product_reference": "go1.24-doc-1.24.12-160000.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-doc-1.24.12-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64"
        },
        "product_reference": "go1.24-doc-1.24.12-160000.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-libstd-1.24.12-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64"
        },
        "product_reference": "go1.24-libstd-1.24.12-160000.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-libstd-1.24.12-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64"
        },
        "product_reference": "go1.24-libstd-1.24.12-160000.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-race-1.24.12-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64"
        },
        "product_reference": "go1.24-race-1.24.12-160000.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-race-1.24.12-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le"
        },
        "product_reference": "go1.24-race-1.24.12-160000.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-race-1.24.12-160000.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x"
        },
        "product_reference": "go1.24-race-1.24.12-160000.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go1.24-race-1.24.12-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        },
        "product_reference": "go1.24-race-1.24.12-160000.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-61726",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-61726"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-61726",
          "url": "https://www.suse.com/security/cve/CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256817 for CVE-2025-61726",
          "url": "https://bugzilla.suse.com/1256817"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-22T12:53:33Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-61726"
    },
    {
      "cve": "CVE-2025-61728",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-61728"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-61728",
          "url": "https://www.suse.com/security/cve/CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256816 for CVE-2025-61728",
          "url": "https://bugzilla.suse.com/1256816"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-22T12:53:33Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-61728"
    },
    {
      "cve": "CVE-2025-61730",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-61730"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-61730",
          "url": "https://www.suse.com/security/cve/CVE-2025-61730"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256821 for CVE-2025-61730",
          "url": "https://bugzilla.suse.com/1256821"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-22T12:53:33Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-61730"
    },
    {
      "cve": "CVE-2025-61731",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-61731"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The \"#cgo pkg-config:\" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a \"--log-file\" argument to this directive, causing pkg-config to write to an attacker-controlled location.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-61731",
          "url": "https://www.suse.com/security/cve/CVE-2025-61731"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256819 for CVE-2025-61731",
          "url": "https://bugzilla.suse.com/1256819"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-22T12:53:33Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-61731"
    },
    {
      "cve": "CVE-2025-68119",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68119"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68119",
          "url": "https://www.suse.com/security/cve/CVE-2025-68119"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256820 for CVE-2025-68119",
          "url": "https://bugzilla.suse.com/1256820"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-22T12:53:33Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-68119"
    },
    {
      "cve": "CVE-2025-68121",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68121"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
          "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68121",
          "url": "https://www.suse.com/security/cve/CVE-2025-68121"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256818 for CVE-2025-68121",
          "url": "https://bugzilla.suse.com/1256818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-doc-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-libstd-1.24.12-160000.1.1.x86_64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.aarch64",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.ppc64le",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.s390x",
            "openSUSE Leap 16.0:go1.24-race-1.24.12-160000.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-22T12:53:33Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-68121"
    }
  ]
}

CVE-2025-61730 (GCVE-0-2025-61730)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-02-02 17:28

Title

Handshake messages may be processed at the incorrect encryption level in crypto/tls

Summary

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-940 - Improper Verification of Source of a Communication Channel

Assigner

References

URL

Tags

	https://go.dev/cl/724120
	https://go.dev/issue/76443
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4340

Impacted products

	Vendor	Product	Version
	Go standard library	crypto/tls	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

Coia Prant (github.com/rbqvq)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61730",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T17:28:46.305649Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T17:28:49.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "Conn.handleKeyUpdate"
            },
            {
              "name": "Conn.handshakeContext"
            },
            {
              "name": "clientHandshakeStateTLS13.establishHandshakeKeys"
            },
            {
              "name": "clientHandshakeStateTLS13.readServerFinished"
            },
            {
              "name": "clientHandshakeStateTLS13.sendClientFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.checkForResumption"
            },
            {
              "name": "serverHandshakeStateTLS13.doHelloRetryRequest"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerParameters"
            },
            {
              "name": "serverHandshakeStateTLS13.sendServerFinished"
            },
            {
              "name": "serverHandshakeStateTLS13.readClientFinished"
            },
            {
              "name": "Conn.quicSetReadSecret"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.HandleData"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Coia Prant (github.com/rbqvq)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-940: Improper Verification of Source of a Communication Channel",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:30.986Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/724120"
        },
        {
          "url": "https://go.dev/issue/76443"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4340"
        }
      ],
      "title": "Handshake messages may be processed at the incorrect encryption level in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61730",
    "datePublished": "2026-01-28T19:30:30.986Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-02-02T17:28:49.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61726 (GCVE-0-2025-61726)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:31

Title

Memory exhaustion in query parameter parsing in net/url

Summary

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

URL

Tags

	https://go.dev/cl/736712
	https://go.dev/issue/77101
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4341

Impacted products

	Vendor	Product	Version
	Go standard library	net/url	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

jub0bs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:31:39.150633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:31:59.685Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseQuery"
            },
            {
              "name": "ParseQuery"
            },
            {
              "name": "URL.Query"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.215Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736712"
        },
        {
          "url": "https://go.dev/issue/77101"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4341"
        }
      ],
      "title": "Memory exhaustion in query parameter parsing in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61726",
    "datePublished": "2026-01-28T19:30:31.215Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:31:59.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68119 (GCVE-0-2025-68119)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 16:16

Title

Unexpected code execution when invoking toolchain in cmd/go

Summary

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

References

URL

Tags

	https://go.dev/cl/736710
	https://go.dev/issue/77099
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4338

Impacted products

	Vendor	Product	Version
	Go toolchain	cmd/go	Affected: 1.25.0 , < 1.25.6 (semver)

Credits

splitline (@splitline) from DEVCORE Research Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-68119",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T04:55:55.432053Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T16:16:38.174Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "splitline (@splitline) from DEVCORE Research Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:30.704Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736710"
        },
        {
          "url": "https://go.dev/issue/77099"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4338"
        }
      ],
      "title": "Unexpected code execution when invoking toolchain in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-68119",
    "datePublished": "2026-01-28T19:30:30.704Z",
    "dateReserved": "2025-12-15T16:48:04.450Z",
    "dateUpdated": "2026-01-29T16:16:38.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61731 (GCVE-0-2025-61731)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 16:17

Title

Arbitrary file write using cgo pkg-config directive in cmd/go

Summary

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

References

URL

Tags

	https://go.dev/cl/736711
	https://go.dev/issue/77100
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4339

Impacted products

	Vendor	Product	Version
	Go toolchain	cmd/go	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

RyotaK (https://ryotak.net) of GMO Flatt Security Inc.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61731",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T04:55:56.484332Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T16:17:24.194Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The \"#cgo pkg-config:\" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a \"--log-file\" argument to this directive, causing pkg-config to write to an attacker-controlled location."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:30.844Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736711"
        },
        {
          "url": "https://go.dev/issue/77100"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4339"
        }
      ],
      "title": "Arbitrary file write using cgo pkg-config directive in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61731",
    "datePublished": "2026-01-28T19:30:30.844Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T16:17:24.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61728 (GCVE-0-2025-61728)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:30

Title

Excessive CPU consumption when building archive index in archive/zip

Summary

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

URL

Tags

	https://go.dev/cl/736713
	https://go.dev/issue/77102
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4342

Impacted products

	Vendor	Product	Version
	Go standard library	archive/zip	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T20:08:22.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/15/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:29:58.068724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:30:24.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/zip",
          "product": "archive/zip",
          "programRoutines": [
            {
              "name": "Reader.initFileList"
            },
            {
              "name": "Reader.Open"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736713"
        },
        {
          "url": "https://go.dev/issue/77102"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4342"
        }
      ],
      "title": "Excessive CPU consumption when building archive index in archive/zip"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61728",
    "datePublished": "2026-01-28T19:30:31.354Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:30:24.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:20077-1

CVE-2025-61730 (GCVE-0-2025-61730)

CVE-2025-61726 (GCVE-0-2025-61726)

CVE-2025-68119 (GCVE-0-2025-68119)

CVE-2025-61731 (GCVE-0-2025-61731)

CVE-2025-61728 (GCVE-0-2025-61728)

Tags

Sightings

Nomenclature