[security] Go 1.26.5 and Go 1.25.12 are released

167 views
Skip to first unread message

anno...@golang.org

unread,
4:24 PM (4 hours ago) 4:24 PM
to golan...@googlegroups.com

Hello gophers,

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

  • os: Root escape via symlink plus trailing slash

    On Unix systems, opening a file in an os.Root improperly
    followed symlinks to locations outside of the Root when
    the final path component of the a path is a symbolic link
    and the path ends in /.

    For example, root.Open("symlink/") would open "symlink"
    even when "symlink" is a symbolic link pointing outside of the root.

    On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
    in path when path ends in a /. Root failed to account for
    this behavior, permitting paths with a trailing / to escape.
    It now properly sanitizes the path parameter provided to openat.

    Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.

    This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

  • crypto/tls: Encrypted Client Hello privacy leak

    The Encrypted Client Hello implementation would leak the pre-shared key
    identities during the handshake, allowing a passive network observer who can
    collect handshakes to de-anonymize the hostname of the server, even when ECH was
    being used.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.26.5

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.26.5 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Junyang and David for the Go team

Reply all
Reply to author
Forward
0 new messages