Skip to content

fix(cve): CVE-2026-32280, CVE-2026-32281 - update Go 1.25.8 to 1.25.9 [release-v0.37.6]#2878

Closed
divyansh42 wants to merge 1 commit into
release-v0.37.6from
fix/cve-2026-32280-go-stdlib-release-v0.37.6-attempt-1
Closed

fix(cve): CVE-2026-32280, CVE-2026-32281 - update Go 1.25.8 to 1.25.9 [release-v0.37.6]#2878
divyansh42 wants to merge 1 commit into
release-v0.37.6from
fix/cve-2026-32280-go-stdlib-release-v0.37.6-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 19, 2026

Summary

This PR fixes CVE-2026-32280 and CVE-2026-32281 by updating Go from 1.25.8 to 1.25.9 in the release-v0.37.6 branch (Pipelines 1.15).

CVE Details

CVE Package Severity CVSS Affected Fixed
CVE-2026-32280 Go crypto/x509, crypto/tls HIGH 7.5 < 1.25.9 1.25.9
CVE-2026-32281 Go crypto/x509 HIGH 7.5 < 1.25.9 1.25.9

CVE-2026-32280: During chain building, the amount of work done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, potentially causing denial of service.

CVE-2026-32281: Validating certificate chains which use policies is unexpectedly inefficient when certificates contain a very large number of policy mappings, possibly causing denial of service.

Fix Summary

  • Updated go.mod from go 1.25.8 to go 1.25.9
  • Ran go mod tidy, go mod verify, and go mod vendor
  • Build verified: go build ./... exits 0

Test Results

Status: ⚠️ No automated unit tests run (build-only verification)

Tests discovered: Build compilation check only
Test command: go build ./...
Result: ✅ PASSED (exit code 0)

ℹ️ Full test suite runs in CI/CD after PR creation. No automated pre-PR test suite was executed — build compilation confirms code integrity.

Breaking Changes

None. This is a Go patch version bump within the same minor line (1.25.8 → 1.25.9). No API changes or breaking changes introduced.

Verification Steps

  • Go updated from 1.25.8 to 1.25.9 in go.mod
  • go mod tidy completed successfully
  • go mod verify: all modules verified
  • go mod vendor completed successfully
  • Build passes: go build ./...
  • CI/CD checks pass
  • Verify CVE resolution with security scanner

Risk Assessment

Factor Assessment
Risk Level Low
Breaking Changes None (patch version bump)
Compatibility Go 1.25.9 is backward compatible
Impact Removes DoS vulnerability in certificate chain validation

Jira References

Resolves: SRVKP-12045, SRVKP-12003

🤖 Generated by CVE Fixer Workflow

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 19, 2026

@divyansh42: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label May 19, 2026
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented May 19, 2026
edited
Loading

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: divyansh42 / name: divyansh42 (d9b0f66)

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 19, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from divyansh42 after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 19, 2026
@divyansh42 @claude
fix(cve): CVE-2026-32280, CVE-2026-32281 - update Go from 1.25.8 to 1…
d9b0f66 
….25.9

- Update Go from 1.25.8 to 1.25.9 to address Go stdlib vulnerabilities
- CVE-2026-32280 (CVSS 7.5 HIGH): crypto/x509 DoS via certificate chain building
  All Go versions < 1.25.9 affected; fixed in 1.25.9
- CVE-2026-32281 (CVSS 7.5 HIGH): crypto/x509 DoS via inefficient certificate
  chain validation; fixed in Go 1.25.9

Changes:
- go.mod: go 1.25.8 → go 1.25.9
- go mod tidy, go mod verify, go mod vendor completed

Resolves: SRVKP-12045, SRVKP-12003

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: divyansh42 <diagrawa@redhat.com>
@divyansh42 divyansh42 force-pushed the fix/cve-2026-32280-go-stdlib-release-v0.37.6-attempt-1 branch from c6bece0 to d9b0f66 Compare May 20, 2026 06:33
@tekton-robot tekton-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 20, 2026
@divyansh42 divyansh42 closed this May 20, 2026
@divyansh42
Copy link
Copy Markdown
Member Author

divyansh42 commented May 20, 2026

Closing in favor of #2880 which now covers all Go 1.25.9 CVEs (CVE-2026-32282, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283) in a single PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

@pratap0007 pratap0007 Awaiting requested review from pratap0007

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot