Security update for go1.24 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20122-1 Final 1 1 2026-01-22T12:53:24Z current 2026-01-22T12:53:24Z 2026-01-22T12:53:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.24 This update for go1.24 fixes the following issues: Update to go1.24.12 (released 2026-01-15) (bsc#1236217) Security fixes: - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821). - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820). - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819). - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817). - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816). - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818). Other fixes: * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386 * go#76796 runtime: race detector crash on ppc64le * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-166 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ Link for SUSE-SU-2026:20122-1 https://lists.suse.com/pipermail/sle-updates/2026-January/043748.html E-Mail link for SUSE-SU-2026:20122-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1236217 SUSE Bug 1236217 https://bugzilla.suse.com/1256816 SUSE Bug 1256816 https://bugzilla.suse.com/1256817 SUSE Bug 1256817 https://bugzilla.suse.com/1256818 SUSE Bug 1256818 https://bugzilla.suse.com/1256819 SUSE Bug 1256819 https://bugzilla.suse.com/1256820 SUSE Bug 1256820 https://bugzilla.suse.com/1256821 SUSE Bug 1256821 https://www.suse.com/security/cve/CVE-2025-61726/ SUSE CVE CVE-2025-61726 page https://www.suse.com/security/cve/CVE-2025-61728/ SUSE CVE CVE-2025-61728 page https://www.suse.com/security/cve/CVE-2025-61730/ SUSE CVE CVE-2025-61730 page https://www.suse.com/security/cve/CVE-2025-61731/ SUSE CVE CVE-2025-61731 page https://www.suse.com/security/cve/CVE-2025-68119/ SUSE CVE CVE-2025-68119 page https://www.suse.com/security/cve/CVE-2025-68121/ SUSE CVE CVE-2025-68121 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 go1.24-1.24.12-160000.1.1 go1.24-doc-1.24.12-160000.1.1 go1.24-libstd-1.24.12-160000.1.1 go1.24-race-1.24.12-160000.1.1 go1.24-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 go1.24-doc-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 go1.24-libstd-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 go1.24-race-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 go1.24-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 go1.24-doc-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 go1.24-libstd-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 go1.24-race-1.24.12-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. CVE-2025-61726 SUSE Linux Enterprise Server 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-race-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-race-1.24.12-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ https://www.suse.com/security/cve/CVE-2025-61726.html CVE-2025-61726 https://bugzilla.suse.com/1256817 SUSE Bug 1256817 archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. CVE-2025-61728 SUSE Linux Enterprise Server 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-race-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-race-1.24.12-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ https://www.suse.com/security/cve/CVE-2025-61728.html CVE-2025-61728 https://bugzilla.suse.com/1256816 SUSE Bug 1256816 During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. CVE-2025-61730 SUSE Linux Enterprise Server 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-race-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-race-1.24.12-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ https://www.suse.com/security/cve/CVE-2025-61730.html CVE-2025-61730 https://bugzilla.suse.com/1256821 SUSE Bug 1256821 Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. CVE-2025-61731 SUSE Linux Enterprise Server 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-race-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-race-1.24.12-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ https://www.suse.com/security/cve/CVE-2025-61731.html CVE-2025-61731 https://bugzilla.suse.com/1256819 SUSE Bug 1256819 Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. CVE-2025-68119 SUSE Linux Enterprise Server 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-race-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-race-1.24.12-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ https://www.suse.com/security/cve/CVE-2025-68119.html CVE-2025-68119 https://bugzilla.suse.com/1256820 SUSE Bug 1256820 unknown CVE-2025-68121 SUSE Linux Enterprise Server 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server 16.0:go1.24-race-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-doc-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-libstd-1.24.12-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:go1.24-race-1.24.12-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620122-1/ https://www.suse.com/security/cve/CVE-2025-68121.html CVE-2025-68121 https://bugzilla.suse.com/1256818 SUSE Bug 1256818