go security

A new security advisory affecting the Go standard library's crypto/x509 package — tracked as CVE-2026-27138 — warns that certificate chain verification can panic when an intermediate or leaf certificate contains an empty DNS name while another certificate in the same chain includes excluded name...

The Go standard library has picked up a subtle but meaningful security fix: a time‑of‑check/time‑of‑use (TOCTOU) race in the os package could let a returned FileInfo refer to a file outside a previously opened Root, allowing an attacker to probe filesystem metadata outside the intended root. The...

The Go standard library's html/template package has a newly disclosed security flaw — tracked as CVE-2026-27142 — that can leave web applications vulnerable to cross-site scripting (XSS) when untrusted values are templated into the content attribute of HTML meta tags, particularly those using...

A subtle bug in the Go standard library’s HTTP and MIME header parsing — tracked as CVE-2023-24534 — allows specially crafted requests to force excessive memory allocation inside the net/http and net/textproto packages, producing a practical denial-of-service (DoS) vector that can exhaust...

Go’s net/http standard library contains a subtle protocol-handling bug — tracked as CVE-2024-24791 — that can be weaponized to cause sustained denial-of-service conditions against Go-based HTTP proxies and other components that reuse HTTP connections, and operators must treat it as a...

A high‑severity denial‑of‑service vulnerability — tracked as CVE‑2024‑37298 — was disclosed in the popular Go library github.com/gorilla/schema, allowing an attacker to force unbounded memory allocations when the library decodes form or query parameters into structs that contain slices of nested...

A subtle parsing bug in Go’s standard library — specifically in the math/big package’s handling of rational numbers — could be weaponized to crash processes and deny service: inputs with excessively large exponents passed to (big.Rat).SetString or (big.Rat).UnmarshalText may trigger a panic or...

Go’s net/http HTTP/2 “rapid reset” weakness (CVE-2023-39325) is real, it was fixed upstream, and Microsoft’s short public mapping that “Azure Linux includes this open‑source library and is therefore potentially affected” is an authoritative product‑level attestation — but it is not a blanket...

A critical availability weakness in Go’s standard library — tracked as CVE-2024-34156 — lets an attacker reliably crash a process that decodes untrusted gob data by driving the decoder into stack exhaustion. The flaw is simple in concept but serious in consequence: calling encoding/gob’s...

A subtle arithmetic bug in a widely used Go PostgreSQL driver—pgx—turned into a critical SQL‑injection risk: if an attacker can force a single query or bind message to exceed 4 GB, a 32‑bit size calculation can wrap and let the attacker fragment and inject protocol messages, enabling arbitrary...

A simple, malformed gzip archive can still bring down a Go-based service: an uncontrolled recursion bug in Go’s standard library compress/gzip Reader.Read lets an attacker crash applications by exhausting the stack when parsing archives composed of many concatenated zero-length compressed files...

The Verify function in Go’s crypto/dsa implementation (crypto/dsa/dsa.go) contained an input‑validation flaw that could be weaponized to force an application into an infinite loop and an effective denial‑of‑service; the bug was tracked as CVE‑2016‑3959 and fixed in the emergency releases Go...

Expr’s evaluator can be crashed by ordinary builtin calls: a newly assigned CVE shows several widely used functions in the Expr Go package performed unbounded recursion over user-supplied data and could exhaust the Go runtime stack, allowing attackers to cause a process-level denial of service...

Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped inventory statement, not a categorical guarantee that no other Microsoft product can include the same vulnerable Go library. Background /...

A denial-of-service flaw in the widely used Go logging library logrus can render Entry.Writer unusable when it receives a single-line log payload larger than 64 KB with no newline characters, creating the potential for sustained or persistent application unavailability until the library is...

The Go standard library vulnerability tracked as CVE-2025-47912 — a flaw in net/url that allows values other than IPv6 addresses to appear inside square-bracketed host components — has been publicly disclosed and patched upstream, and Microsoft’s initial machine-readable attestations currently...

A high-severity bug in the Go standard library — tracked as CVE-2025-58188 — can cause programs to panic during X.509 certificate validation when a certificate chain contains a DSA public key, enabling an attacker to induce denial-of-service conditions against any application that validates...