[security] Go 1.24 Release Candidate 3 is released

[Cherry Mui]

Hello gophers,

We have just released go1.24rc3, a release candidate version of Go 1.24.

This release candidate includes 2 security fixes following the security policy:

• cmd/go: arbitrary code execution during build on darwin
  
  On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive.
  
  This issue only affected go1.24rc2.
  
  Thanks to Juho Forsén of Mattermost for reporting this issue.
  
  This is CVE-2025-22867 and Go issue https://go.dev/issue/71476.
  
  

• crypto/elliptic: timing sidechannel for P-256 on ppc64le
  
  Due to the usage of a variable time instruction in the assembly implementation
  of an internal function, a small number of bits of secret scalars are leaked on
  the ppc64le architecture. Due to the way this function is used, we do not
  believe this leakage is enough to allow recovery of the private key when P-256
  is used in any well known protocols.
  
  This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.

Please try your production load tests and unit tests with the new version. Your help testing these pre-release versions is invaluable.

Report any problems using the issue tracker: https://go.dev/issue/new

If you have Go installed already, an easy way to try go1.24rc3 is by using the go command:

$ go install golang.org/dl/go1.24rc3@latest

$ go1.24rc3 download

You can download binary and source distributions from the usual place: https://go.dev/dl/#go1.24rc3

To find out what has changed in Go 1.24, read the draft release notes: https://tip.golang.org/doc/go1.24

Cheers,
Cherry and Carlos for the Go team