Skip to content

Bump Go toolchain to 1.26.4 to address stdlib CVEs#5426

Closed
amirejaz wants to merge 1 commit into
mainfrom
bump-go-toolchain-1.26.4
Closed

Bump Go toolchain to 1.26.4 to address stdlib CVEs#5426
amirejaz wants to merge 1 commit into
mainfrom
bump-go-toolchain-1.26.4

Conversation

@amirejaz
Copy link
Copy Markdown
Contributor

@amirejaz amirejaz commented Jun 3, 2026

Summary

Pins the Go toolchain to 1.26.4 in `go.mod` to fix three stdlib CVEs introduced since go1.26.3:

  • `GO-2026-5037` (CVE-2026-27145) — `crypto/x509` `VerifyHostname` quadratic-cost perf
  • `GO-2026-5038` (CVE-2026-42504) — `mime` `WordDecoder.DecodeHeader` excessive CPU
  • `GO-2026-5039` (CVE-2026-42507) — `net/textproto` user input in error messages

This is the clean fix. Once merged, the exclusions added in #5425 can be reverted and Renovate will handle future toolchain bumps automatically (the `toolchain` depType is enabled by default in the `gomod` manager).

Type of change

  • Other (dependency / toolchain bump)

Test plan

  • Go Vulnerability Check expected to pass on this PR

Generated with Claude Code

@amirejaz @claude
Bump Go toolchain to 1.26.4 to address stdlib CVEs
5bfea4c 
Pins the toolchain to go1.26.4 which contains fixes for
GO-2026-5037, GO-2026-5038, and GO-2026-5039 in the stdlib.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@amirejaz amirejaz requested a review from JAORMX as a code owner June 3, 2026 11:15
@github-actions github-actions Bot added the size/XS Extra small PR: < 100 lines changed label Jun 3, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 3, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.84%. Comparing base (535e808) to head (5bfea4c).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5426   +/-   ##
=======================================
  Coverage   68.84%   68.84%           
=======================================
  Files         634      634           
  Lines       64433    64433           
=======================================
+ Hits        44358    44361    +3     
+ Misses      16795    16790    -5     
- Partials     3280     3282    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rdimitrov rdimitrov closed this Jun 3, 2026
@rdimitrov rdimitrov deleted the bump-go-toolchain-1.26.4 branch June 3, 2026 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JAORMX JAORMX JAORMX approved these changes

Assignees

No one assigned

Labels

size/XS Extra small PR: < 100 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amirejaz @JAORMX @rdimitrov