Skip to content

fix: bump toolchain to go1.26.4 to address stdlib security vulnerabilities#312

Open
Farjaad wants to merge 3 commits into
mainfrom
fix/bump-toolchain-go1.26.4
Open

fix: bump toolchain to go1.26.4 to address stdlib security vulnerabilities#312
Farjaad wants to merge 3 commits into
mainfrom
fix/bump-toolchain-go1.26.4

Conversation

@Farjaad

@Farjaad Farjaad commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps the Go toolchain from go1.26.2 to go1.26.4 to remediate 8 high-severity stdlib vulnerabilities flagged by Grype on the opslevel-runner container image.

Also includes a transitive bump of golang.org/x/net from v0.54.0 to v0.55.0 pulled in by go mod tidy.

Background

Grype scans the published container image and detects the Go toolchain version embedded in the compiled binary metadata. When the toolchain version is older than the version that patched a known CVE, Grype flags it — regardless of whether the vulnerable code path is actually reachable. The only fix is to recompile with a patched toolchain.

The v2026.7.7 release was built with toolchain go1.26.2, which predates three subsequent Go security patch releases.

Note: go1.26.5 (released 2026-07-07) is skipped per our one-week cooloff policy. It will be picked up in a follow-up bump.

Vulnerabilities Fixed

All 8 are Go standard library bugs. They are fixed by the toolchain upgrade alone — no application code changes are required.

ID Severity Package Fixed In
GO-2026-4977 High net/mail — DoS via consumePhrase when parsing RFC 5322 email addresses go1.26.3
GO-2026-4986 High net/mail — excessive CPU/memory in ParseAddress, ParseAddressList, ParseDate go1.26.3
GO-2026-4918 High golang.org/x/net/http2 — infinite loop on SETTINGS_MAX_FRAME_SIZE=0 go1.26.3
GO-2026-4971 High netDial/LookupPort panic on NUL input on Windows go1.26.3
GO-2026-4981 High net — double-free crash in cgo DNS resolver on very long CNAME response go1.26.3
GO-2026-5037 High crypto/x509 — quadratic cost in VerifyHostname with large DNS SAN lists go1.26.4
GO-2026-5038 High mime — excessive CPU decoding malformed MIME headers with invalid encoded-words go1.26.4
GO-2026-5026 High net/textproto go1.26.4

Full Go 1.26 release history: https://go.dev/doc/devel/release#go1.26

What Changed

src/go.mod
- toolchain go1.26.2
+ toolchain go1.26.4

golang.org/x/net v0.54.0 -> v0.55.0  (transitive, go mod tidy)

Safety

Go patch releases are security/bug-fix only — no API changes, no breaking changes. This was verified by:

  • go build ./... succeeds
  • govulncheck ./... reports no vulnerabilities
  • No application code changes required

@Farjaad Farjaad requested a review from archf July 7, 2026 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants