rpm package
almalinux/golang-race
pkg:rpm/almalinux/golang-race
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42507 | Med | 5.3 | < 1.26.4-1.el10_2.alma.1 | 1.26.4-1.el10_2.alma.1 | Jun 2, 2026 | When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. | |
| CVE-2026-27137 | Hig | 7.5 | < 1.26.2-2.el10_2.alma.1 | 1.26.2-2.el10_2.alma.1 | Mar 6, 2026 | When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered. | |
| CVE-2026-25679 | Hig | 7.5 | < 1.26.2-2.el10_2.alma.1 | 1.26.2-2.el10_2.alma.1 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 1.25.7-1.module_el8.10.0+4117+b694c6c9 | 1.25.7-1.module_el8.10.0+4117+b694c6c9 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 1.25.7-1.module_el8.10.0+4117+b694c6c9 | 1.25.7-1.module_el8.10.0+4117+b694c6c9 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-61728 | — | < 1.25.7-1.module_el8.10.0+4117+b694c6c9 | 1.25.7-1.module_el8.10.0+4117+b694c6c9 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 1.25.7-1.module_el8.10.0+4117+b694c6c9 | 1.25.7-1.module_el8.10.0+4117+b694c6c9 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-61731 | — | < 1.25.8-1.el9_7 | 1.25.8-1.el9_7 | Jan 28, 2026 | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can | ||
| CVE-2025-61729 | Hig | 7.5 | < 1.25.5-1.module_el8.10.0+4107+b32a33ce | 1.25.5-1.module_el8.10.0+4107+b32a33ce | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | |
| CVE-2025-58183 | Med | 4.3 | < 1.25.3-1.el9_7 | 1.25.3-1.el9_7 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-47906 | Med | 6.5 | < 1.25.3-2.module_el8.10.0+4074+24330916 | 1.25.3-2.module_el8.10.0+4074+24330916 | Sep 18, 2025 | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | |
| CVE-2025-4674 | Hig | 8.6 | < 1.24.6-1.el9_6 | 1.24.6-1.el9_6 | Jul 29, 2025 | The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V | |
| CVE-2025-4673 | Med | 6.8 | < 1.24.4-1.el9_6 | 1.24.4-1.el9_6 | Jun 11, 2025 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. | |
| CVE-2025-22871 | Cri | 9.1 | < 1.23.9-1.el9_6 | 1.23.9-1.el9_6 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2024-34156 | Hig | 7.5 | < 1.23.6-2.el9_5 | 1.23.6-2.el9_5 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2023-39325 | Hig | 7.5 | < 1.19.13-1.module_el8.8.0+3625+a06035cf | 1.19.13-1.module_el8.8.0+3625+a06035cf | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | |
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.19.13-1.module_el8.8.0+3625+a06035cf | 1.19.13-1.module_el8.8.0+3625+a06035cf | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-29409 | Med | 5.3 | < 1.19.13-1.el9_2 | 1.19.13-1.el9_2 | Aug 2, 2023 | Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr | |
| CVE-2023-29405 | Cri | 9.8 | < 1.19.10-1.module_el8.8.0+3571+89db2ae0 | 1.19.10-1.module_el8.8.0+3571+89db2ae0 | Jun 8, 2023 | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F | |
| CVE-2023-29404 | Cri | 9.8 | < 1.19.10-1.module_el8.8.0+3571+89db2ae0 | 1.19.10-1.module_el8.8.0+3571+89db2ae0 | Jun 8, 2023 | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T |
- affected < 1.26.4-1.el10_2.alma.1fixed 1.26.4-1.el10_2.alma.1
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
- affected < 1.26.2-2.el10_2.alma.1fixed 1.26.2-2.el10_2.alma.1
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
- affected < 1.26.2-2.el10_2.alma.1fixed 1.26.2-2.el10_2.alma.1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-61728Jan 28, 2026affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-61731Jan 28, 2026affected < 1.25.8-1.el9_7fixed 1.25.8-1.el9_7
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
- affected < 1.25.5-1.module_el8.10.0+4107+b32a33cefixed 1.25.5-1.module_el8.10.0+4107+b32a33ce
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 1.25.3-1.el9_7fixed 1.25.3-1.el9_7
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- affected < 1.25.3-2.module_el8.10.0+4074+24330916fixed 1.25.3-2.module_el8.10.0+4074+24330916
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- affected < 1.24.6-1.el9_6fixed 1.24.6-1.el9_6
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V
- affected < 1.24.4-1.el9_6fixed 1.24.4-1.el9_6
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
- affected < 1.23.9-1.el9_6fixed 1.23.9-1.el9_6
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 1.23.6-2.el9_5fixed 1.23.6-2.el9_5
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 1.19.13-1.module_el8.8.0+3625+a06035cffixed 1.19.13-1.module_el8.8.0+3625+a06035cf
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 1.19.13-1.module_el8.8.0+3625+a06035cffixed 1.19.13-1.module_el8.8.0+3625+a06035cf
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- affected < 1.19.13-1.el9_2fixed 1.19.13-1.el9_2
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr
- affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F
- affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T
Page 1 of 3