Vulnerability in golang.org/x/sys

229 views

Skip to first unread message

Neal Patel

unread,

May 21, 2026, 4:44:58 PM (yesterday) May 21

to golang-announce

Howdy gophers,

We have tagged version v0.45.0 of golang.org/x/sys

in order to address a security issue.

windows: integer overflow in NewNTUnicodeString

NewNTUnicodeString did not check for string length overflow.
When provided with a string that overflows the maximum size of
a NTUnicodeString (a 16-bit number of bytes), it returned a truncated
string rather than an error.

It now correctly returns an error when provided with a too-long string.

This is CVE-2026-39824 and Go issue https://go.dev/issue/78916.

Cheers,

Go Security Team

Reply all

Reply to author

Forward

0 new messages