Back

SUSE Releases Security Updates for Go1.25 and Go1.26 Addressing Multiple CVEs

Severity: Medium (Score: 57.8)

Sources: Linuxsecurity

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: update, issues, suse, fixes, following, cve-2026-27145, crypto

Severity indicators: issue, rat, CVE:CVE-2026-27145

Summary

SUSE has released security updates for Go versions 1.25 and 1.26, addressing three critical vulnerabilities identified as CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507. These vulnerabilities affect the crypto/x509, mime, and net/textproto packages, posing risks such as arbitrary input handling and quadratic complexity issues. The vulnerabilities were published on June 2, 2026, with the first public proof of concept for CVE-2026-27145 appearing on June 3, 2026. The updates are rated as moderate, and users are advised to apply the patches promptly to mitigate potential exploitation. The vulnerabilities could allow attackers to manipulate data processing and potentially execute arbitrary code. Both updates were released on June 9, 2026, and are crucial for maintaining the security of applications utilizing these Go versions. Key Points: • SUSE issued updates for Go1.25 and Go1.26 to address three CVEs. • CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 were published on June 2, 2026. • The updates are rated as moderate, and users are urged to apply them to prevent exploitation.

Detailed Analysis

**Impact** The security updates affect users of SUSE distributions running Go versions 1.25 and 1.26. The vulnerabilities have moderate severity ratings and could lead to denial of service or information disclosure. No specific sectors, geographies, or data volumes at risk are detailed in the sources. **Technical Details** The updates address three CVEs: CVE-2026-27145 (crypto/x509 hostname parsing), CVE-2026-42504 (mime WordDecoder.DecodeHeader quadratic complexity), and CVE-2026-42507 (net/textproto error message input escaping). Exploits could involve crafted inputs causing resource exhaustion or injection of unescaped data in error messages. No malware, attack infrastructure, or IOCs are provided. **Recommended Response** Apply the SUSE security updates SUSE-SU-2026:2326-1 for Go 1.25.11 and SUSE-SU-2026:2327-1 for Go 1.26.4 immediately to mitigate the vulnerabilities. Monitor for unusual application errors or performance degradation related to mime decoding and x509 hostname processing. No additional detection signatures or indicators are specified.

Source articles (2)

  • SUSE 2026-2327 — Linuxsecurity · 2026-06-10
    ## This update for go1.26 fixes the following issues Update to go1.26.4 (bsc#1255111): * CVE-2026-27145: crypto/x509: split candidate hostname only once (bsc#1267450). * CVE-2026-42504: mime: quadrati…
  • SUSE Go1.25 Moderate Security Update for Multiple Issues 2026-2326 — Linuxsecurity · 2026-06-10
    ## This update for go1.25 fixes the following issues Update to go1.25.11 (bsc#1244485): * CVE-2026-27145: crypto/x509: split candidate hostname only once (bsc#1267450). * CVE-2026-42504: mime: quadrat…

Timeline

  • 2026-06-02 — CVE-2026-42507 published: CVE-2026-42507 was disclosed, detailing vulnerabilities in Go's net/textproto package.
  • 2026-06-02 — CVE-2026-42504 published: CVE-2026-42504 was disclosed, highlighting issues in Go's mime package.
  • 2026-06-02 — CVE-2026-27145 published: CVE-2026-27145 was published, affecting Go's crypto/x509 package, with a PoC released on June 3.
  • 2026-06-03 — First public PoC for CVE-2026-27145: A proof of concept for CVE-2026-27145 was made public, demonstrating the vulnerability.
  • 2026-06-09 — SUSE releases updates for Go1.25 and Go1.26: SUSE released security updates for Go1.25 and Go1.26 addressing the identified vulnerabilities.

CVEs

  • CVE-2026-27145
  • CVE-2026-42504
  • CVE-2026-42507

Related entities

  • SuSE (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed