You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
go vulnerability
About this tag
The go vulnerability tag covers security flaws in the Go standard library, including CVEs in crypto/x509, go/parser, net/mail, encoding/pem, archive/tar, and hostname validation. Recurring themes include denial-of-service via panic, stack exhaustion, quadratic-time parsing, and unbounded memory allocations. Microsoft's Azure Linux distribution is frequently attested as a carrier of vulnerable Go code, but these attestations are product-level inventory statements, not guarantees that other Microsoft products are unaffected. Discussions emphasize the need for prompt patching to Go 1.22.7, 1.23.1, or later releases and caution against assuming limited scope based on partial attestations.
CVE-2026-25680 is a Go vulnerability published on May 22, 2026, affecting golang.org/x/net before version 0.55.0, where the html parser can spend excessive CPU time processing attacker-supplied HTML and cause denial of service in applications that parse untrusted markup. The bug is not...
A newly disclosed vulnerability in the golang.org/x/net HTTP/2 implementation can be triggered by sending a narrow range of HTTP/2 frame types (0x0a–0x0f), causing a nil-pointer panic that crashes servers using affected module versions — a denial-of-service vector that is easy to trigger from...
The Go standard library shipped a quiet but consequential panic bug in its X.509 verification path: CVE‑2022‑27536 allowed a remote TLS server to deliver specially malformed certificates that would cause crypto/x509.Certificate.Verify to panic on macOS, crashing TLS clients built with Go 1.18.0...
Calling any of Go's Parse* functions on specially crafted, deeply nested source can exhaust the stack and trigger a panic — a vulnerability tracked as CVE-2024-34155 that sits in the go/parser standard library and has been fixed in the Go 1.22.7 and 1.23.1 releases; Microsoft’s public...
Microsoft’s public advisory for CVE‑2025‑58187 names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected,” but that statement is a product‑level attestation — not a categorical guarantee that no other Microsoft product can include the same...
The short answer is: No — Azure Linux is not necessarily the only Microsoft product that can include the vulnerable code, but it is the only Microsoft product Microsoft has publicly attested as including the affected Go standard‑library component so far; absence of additional attestations is not...
Microsoft’s MSRC entry for CVE-2025-61723 names the Go standard library package encoding/pem as vulnerable to a quadratic‑time parsing condition but explicitly ties Microsoft’s public product-level attestation to Azure Linux — and that attestation is a statement of inventory for that product...
A newly published vulnerability in Go's standard library, tracked as CVE-2025-61729, exposes a denial-of-service vector in the crypto/x509 package: the HostnameError.Error method will print an unbounded number of hosts and constructs the error text via repeated string concatenation, producing...
A critical memory-allocation flaw in the Go standard library’s archive/tar package (tracked as CVE-2025-58183) can cause a Go program to perform unbounded allocations when parsing GNU pax-format sparse maps, producing an out-of-memory condition and a possible denial-of-service. Microsoft’s...