Security update for go1.26

Announcement ID:	SUSE-SU-2026:1861-1
Release Date:	2026-05-14T22:33:22Z
Rating:	important
References:	bsc#1170826 bsc#1255111 bsc#1264499 bsc#1264500 bsc#1264501 bsc#1264502 bsc#1264503 bsc#1264504 bsc#1264505 bsc#1264506 bsc#1264507 bsc#1264508 bsc#1264509
Cross-References:	CVE-2026-33811 CVE-2026-33814 CVE-2026-39817 CVE-2026-39819 CVE-2026-39820 CVE-2026-39823 CVE-2026-39825 CVE-2026-39826 CVE-2026-39836 CVE-2026-42499 CVE-2026-42501
CVSS scores:	CVE-2026-33811 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33811 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33811 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33814 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33814 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-39817 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVE-2026-39817 ( NVD ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVE-2026-39817 ( NVD ): 5.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVE-2026-39819 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2026-39819 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2026-39819 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2026-39820 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-39820 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-39820 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-39823 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-39823 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-39825 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-39825 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-39826 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-39826 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-39836 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-39836 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-39836 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-42499 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-42499 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-42501 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-42501 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	Development Tools Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP5 LTSS SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP6 LTSS SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves 11 vulnerabilities and has two security fixes can now be installed.

Description:

This update for go1.26 fixes the following issues

Security issues:

• CVE-2026-33811: net: crash when handling long CNAME response (bsc#1264508).
• CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1264506).
• CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths (bsc#1264505).
• CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames (bsc#1264504).
• CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment (bsc#1264503).
• CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509).
• CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters (bsc#1264500).
• CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507).
• CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows (bsc#1264501).
• CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase (bsc#1264502).
• CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database (bsc#1264499).

Non security issues:

• go1.26 release tracking (bsc#1255111).
• Go packages miss binutils-gold dependency (bsc#1170826).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Development Tools Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-1861=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1861=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1861=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1861=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1861=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1861=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1861=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1861=1
• SUSE Linux Enterprise Server 15 SP4 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1861=1
• SUSE Linux Enterprise Server 15 SP5 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1861=1
• SUSE Linux Enterprise Server 15 SP6 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1861=1

Package List:

• Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1
• SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
  • go1.26-doc-1.26.3-150000.1.12.1
  • go1.26-race-1.26.3-150000.1.12.1
  • go1.26-1.26.3-150000.1.12.1

References:

• https://www.suse.com/security/cve/CVE-2026-33811.html
• https://www.suse.com/security/cve/CVE-2026-33814.html
• https://www.suse.com/security/cve/CVE-2026-39817.html
• https://www.suse.com/security/cve/CVE-2026-39819.html
• https://www.suse.com/security/cve/CVE-2026-39820.html
• https://www.suse.com/security/cve/CVE-2026-39823.html
• https://www.suse.com/security/cve/CVE-2026-39825.html
• https://www.suse.com/security/cve/CVE-2026-39826.html
• https://www.suse.com/security/cve/CVE-2026-39836.html
• https://www.suse.com/security/cve/CVE-2026-42499.html
• https://www.suse.com/security/cve/CVE-2026-42501.html
• https://bugzilla.suse.com/show_bug.cgi?id=1170826
• https://bugzilla.suse.com/show_bug.cgi?id=1255111
• https://bugzilla.suse.com/show_bug.cgi?id=1264499
• https://bugzilla.suse.com/show_bug.cgi?id=1264500
• https://bugzilla.suse.com/show_bug.cgi?id=1264501
• https://bugzilla.suse.com/show_bug.cgi?id=1264502
• https://bugzilla.suse.com/show_bug.cgi?id=1264503
• https://bugzilla.suse.com/show_bug.cgi?id=1264504
• https://bugzilla.suse.com/show_bug.cgi?id=1264505
• https://bugzilla.suse.com/show_bug.cgi?id=1264506
• https://bugzilla.suse.com/show_bug.cgi?id=1264507
• https://bugzilla.suse.com/show_bug.cgi?id=1264508
• https://bugzilla.suse.com/show_bug.cgi?id=1264509