openSUSE-SU-2026:20570-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20570-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2026:20570-1
Upstream
Related
Published
2026-04-20T14:02:24Z
Modified
2026-04-22T20:09:56.587332Z
Summary
Security update for go1.25
Details

This update for go1.25 fixes the following issues:

  • Update to version go1.25.9 (bsc#1244485).
  • CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653).
  • CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654).
  • CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655).
  • CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656).
  • CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657).
  • CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658).
  • CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock (bsc#1261659).
  • CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660).
  • CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661).
References

Affected packages

openSUSE:Leap 16.0 / go1.25

Package

Name
go1.25
Purl
pkg:rpm/opensuse/go1.25&distro=openSUSE%20Leap%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.9-160000.1.1

Ecosystem specific 

{
    "binaries": [
        {
            "go1.25": "1.25.9-160000.1.1",
            "go1.25-doc": "1.25.9-160000.1.1",
            "go1.25-race": "1.25.9-160000.1.1",
            "go1.25-libstd": "1.25.9-160000.1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20570-1.json"