Vulnerability-Lookup

WID-SEC-W-2026-1437

Vulnerability from csaf_certbund - Published: 2026-05-07 22:00 - Updated: 2026-05-27 22:00

Summary

Golang Go: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Go ist eine quelloffene Programmiersprache.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuführen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-27142

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-33811

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-33814

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39817

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39819

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39820

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39823

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39825

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39826

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-39836

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-42499

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-42501

Affected products

Known affected 8 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Golang Go <1.25.10 Golang / Go		<1.25.10
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Golang Go <1.26.3 Golang / Go		<1.26.3
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

References

48 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://groups.google.com/g/golang-announce/c/qcC…	external
https://lists.opensuse.org/archives/list/security…	external
https://msrc.microsoft.com/update-guide/	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3308.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3309.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3310.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3311.html	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3313.html	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3319.html	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-…	external
https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-116.html	external
https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-117.html	external
https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-118.html	external
https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-115.html	external
https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-119.html	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAV…	external
https://docs.cloud.google.com/container-optimized…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:17714	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:17713	external
https://lists.suse.com/pipermail/sle-security-upd…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Go ist eine quelloffene Programmiersprache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1437 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1437.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1437 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1437"
      },
      {
        "category": "external",
        "summary": "Golang Announce vom 2026-05-07",
        "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10723-1 vom 2026-05-10",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KAPID34AVTSUVR5VLMYLTSVPCBNB7627/"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2026-05-12",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10741-1 vom 2026-05-12",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T7UAVKUIB6GYXYYSMFI4JUIXBP2L5J62/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1861-1 vom 2026-05-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026078.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1862-1 vom 2026-05-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026077.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20763-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WVNMP2VUARXDVL6QMCH3D7RZTR3H7GXM/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20762-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V2GWOVADJGJB7KDSILDFCQFAYIGANRQ2/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2049-1 vom 2026-05-25",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026276.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10849-1 vom 2026-05-25",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJSSIGOMBB7CI6H5MOSOL6B7XRBL5LKK/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10842-1 vom 2026-05-24",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RA6PKGM4RN2T2DFSXXNZRPYQVODGU2NO/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10845-1 vom 2026-05-24",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MHOGVSQU7PY2NM3HOJ74FFNGCKPQAWFO/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10847-1 vom 2026-05-24",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MJJHAUMC4DQUYVQAXKFPGBARHDRTQYY5/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10848-1 vom 2026-05-25",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7OTX2SNWG7ZECS2R52AXC5PHMPEUMYIH/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-107 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-107.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2079-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026311.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2078-1 vom 2026-05-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026312.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3308 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3308.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3309 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3309.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3310 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3310.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3311 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3311.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3313 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3313.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-121 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-121.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-122 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-122.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-123 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-123.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-124 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-124.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-125 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-125.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3319 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3319.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-119 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-119.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2DOCKER-2026-120 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2DOCKER-2026-120.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2ECS-2026-116 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-116.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2ECS-2026-117 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-117.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2ECS-2026-118 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-118.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2ECS-2026-115 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-115.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2ECS-2026-119 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2ECS-2026-119.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-103 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-103.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-104 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-104.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-105 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-105.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NITRO-ENCLAVES-2026-106 vom 2026-05-26",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NITRO-ENCLAVES-2026-106.html"
      },
      {
        "category": "external",
        "summary": "Container-Optimized OS release notes vom 2026-05-27",
        "url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#May_26_2026"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2093-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026364.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17714 vom 2026-05-27",
        "url": "https://access.redhat.com/errata/RHSA-2026:17714"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2092-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026365.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21804-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026341.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17713 vom 2026-05-27",
        "url": "https://access.redhat.com/errata/RHSA-2026:17713"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21805-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026340.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Golang Go: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T07:28:32.746+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1437",
      "initial_release_date": "2026-05-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-05-17T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE und openSUSE aufgenommen"
        },
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Amazon und SUSE aufgenommen"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE und Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.26.3",
                "product": {
                  "name": "Golang Go \u003c1.26.3",
                  "product_id": "T053722"
                }
              },
              {
                "category": "product_version",
                "name": "1.26.3",
                "product": {
                  "name": "Golang Go 1.26.3",
                  "product_id": "T053722-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.26.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.25.10",
                "product": {
                  "name": "Golang Go \u003c1.25.10",
                  "product_id": "T053723"
                }
              },
              {
                "category": "product_version",
                "name": "1.25.10",
                "product": {
                  "name": "Golang Go 1.25.10",
                  "product_id": "T053723-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:golang:go:1.25.10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Go"
          }
        ],
        "category": "vendor",
        "name": "Golang"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Google Container-Optimized OS",
            "product": {
              "name": "Google Container-Optimized OS",
              "product_id": "1607324",
              "product_identification_helper": {
                "cpe": "cpe:/o:google:container-optimized_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27142",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-27142"
    },
    {
      "cve": "CVE-2026-33811",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-33811"
    },
    {
      "cve": "CVE-2026-33814",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-33814"
    },
    {
      "cve": "CVE-2026-39817",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39817"
    },
    {
      "cve": "CVE-2026-39819",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39819"
    },
    {
      "cve": "CVE-2026-39820",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39820"
    },
    {
      "cve": "CVE-2026-39823",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39823"
    },
    {
      "cve": "CVE-2026-39825",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39825"
    },
    {
      "cve": "CVE-2026-39826",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39826"
    },
    {
      "cve": "CVE-2026-39836",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-39836"
    },
    {
      "cve": "CVE-2026-42499",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-42499"
    },
    {
      "cve": "CVE-2026-42501",
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T027843",
          "T053723",
          "398363",
          "T049210",
          "T053722",
          "1607324"
        ]
      },
      "release_date": "2026-05-07T22:00:00.000+00:00",
      "title": "CVE-2026-42501"
    }
  ]
}

CVE-2026-42499 (GCVE-0-2026-42499)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:29

Title

Quadratic string concatenation in consumePhrase in net/mail

Summary

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/issue/78987
https://go.dev/cl/771520
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4977

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/mail	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42499",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T16:55:28.873015Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:29:59.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/mail",
          "product": "net/mail",
          "programRoutines": [
            {
              "name": "addrParser.consumePhrase"
            },
            {
              "name": "AddressParser.Parse"
            },
            {
              "name": "AddressParser.ParseList"
            },
            {
              "name": "Header.AddressList"
            },
            {
              "name": "ParseAddress"
            },
            {
              "name": "ParseAddressList"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:18.615Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/78987"
        },
        {
          "url": "https://go.dev/cl/771520"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4977"
        }
      ],
      "title": "Quadratic string concatenation in consumePhrase in net/mail"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-42499",
    "datePublished": "2026-05-07T19:41:18.615Z",
    "dateReserved": "2026-04-28T00:21:12.791Z",
    "dateUpdated": "2026-05-08T21:29:59.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42501 (GCVE-0-2026-42501)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 15:48

Title

Malicious module proxy can bypass checksum database in cmd/go

Summary

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

References

4 references

URL	Tags
https://go.dev/cl/775321
https://go.dev/issue/79070
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4984

Impacted products

1 product

Vendor	Product	Version
Go toolchain	cmd/go	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Mundur (https://github.com/M0nd0R)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42501",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T15:48:05.053316Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-347",
                "description": "CWE-347 Improper Verification of Cryptographic Signature",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T15:48:47.404Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mundur (https://github.com/M0nd0R)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious module proxy can exploit a flaw in the go command\u0027s validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module\u0027s dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running \"rm go.sum ; go mod tidy ; go mod verify\", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:19.691Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/775321"
        },
        {
          "url": "https://go.dev/issue/79070"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4984"
        }
      ],
      "title": "Malicious module proxy can bypass checksum database in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-42501",
    "datePublished": "2026-05-07T19:41:19.691Z",
    "dateReserved": "2026-04-28T00:21:12.791Z",
    "dateUpdated": "2026-05-08T15:48:47.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1437

CVE-2026-42499 (GCVE-0-2026-42499)

CVE-2026-42501 (GCVE-0-2026-42501)

Tags

Sightings

Nomenclature