go language

The Go standard library’s URL parser has been found to accept malformed IPv6 host literals in a way that can lead to surprising, inconsistent behavior across systems — a defect tracked as CVE-2026-25679 and fixed in the Go project’s March 2026 security releases. The root cause is an insufficient...

A parser bug in the Go standard library — tracked as CVE‑2024‑34158 — lets a specially crafted build-tag line trigger stack exhaustion inside go/build/constraint’s Parse routine and crash processes that parse untrusted source files; the bug was fixed in the emergency releases that shipped in...

Microsoft’s brief advisory that Azure Linux includes this open‑source library and is therefore potentially affected is an important inventory signal — but it is not a categorical guarantee that Azure Linux is the only Microsoft product that could carry the vulnerable Go html/template code...

A subtle bug in Go’s standard library quietly opened a door for denial-of-service attacks: malformed ZIP entries could cause archive/zip’s Reader.Open to panic, crashing programs that relied on the io/fs.FS integration introduced in Go 1.16. The issue, tracked as CVE-2021-41772 (GO-2021-0264)...

Executive summary — short answer No. Azure Linux is not the only Microsoft product that can include the vulnerable net/http code. Any Microsoft product, service, agent, SDK, or container image that ships or vendors Go binaries (or Go-based packages) built with the vulnerable versions of the Go...