chore(deps): update go toolchain directive to v1.26.4 [security] #307

Merged

renovate merged 1 commits from renovate/golang-version-go-vulnerability into main 2026-06-03 05:49:08 +00:00

Conversation 0 Commits 1 Files Changed 1

+1 -1

renovate commented 2026-06-03 01:18:44 +00:00

Owner

Copy Link

Copy Source

This PR contains the following updates:

Package	Type	Update	Change
go (source)	toolchain	patch	1.26.3 → 1.26.4

---

Inefficient candidate hostname parsing in crypto/x509

CVE-2026-27145 / GO-2026-5037

More information

Details

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Severity

Unknown

References

• https://go.dev/cl/783621
• https://go.dev/issue/79694
• https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Quadratic complexity in WordDecoder.DecodeHeader in mime

CVE-2026-42504 / GO-2026-5038

More information

Details

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Severity

Unknown

References

• https://go.dev/issue/79217
• https://go.dev/cl/774481
• https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Arbitrary inputs are included in errors without any escaping in net/textproto

CVE-2026-42507 / GO-2026-5039

More information

Details

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Severity

Unknown

References

• https://go.dev/issue/79346
• https://go.dev/cl/777060
• https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://github.com/golang/go)) | toolchain | patch | `1.26.3` → `1.26.4` | --- ### Inefficient candidate hostname parsing in crypto/x509 [CVE-2026-27145](https://nvd.nist.gov/vuln/detail/CVE-2026-27145) / [GO-2026-5037](https://pkg.go.dev/vuln/GO-2026-5037) <details> <summary>More information</summary> #### Details (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. #### Severity Unknown #### References - [https://go.dev/cl/783621](https://go.dev/cl/783621) - [https://go.dev/issue/79694](https://go.dev/issue/79694) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5037) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Quadratic complexity in WordDecoder.DecodeHeader in mime [CVE-2026-42504](https://nvd.nist.gov/vuln/detail/CVE-2026-42504) / [GO-2026-5038](https://pkg.go.dev/vuln/GO-2026-5038) <details> <summary>More information</summary> #### Details Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. #### Severity Unknown #### References - [https://go.dev/issue/79217](https://go.dev/issue/79217) - [https://go.dev/cl/774481](https://go.dev/cl/774481) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5038) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Arbitrary inputs are included in errors without any escaping in net/textproto [CVE-2026-42507](https://nvd.nist.gov/vuln/detail/CVE-2026-42507) / [GO-2026-5039](https://pkg.go.dev/vuln/GO-2026-5039) <details> <summary>More information</summary> #### Details When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. #### Severity Unknown #### References - [https://go.dev/issue/79346](https://go.dev/issue/79346) - [https://go.dev/cl/777060](https://go.dev/cl/777060) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5039) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

renovate added 1 commit 2026-06-03 01:18:45 +00:00

chore(deps): update go toolchain directive to v1.26.4 [security] 580f86b73e

renovate scheduled this pull request to auto merge when all checks succeed 2026-06-03 01:18:47 +00:00

renovate merged commit 4852e861d7 into main 2026-06-03 05:49:08 +00:00

renovate deleted branch renovate/golang-version-go-vulnerability 2026-06-03 05:49:10 +00:00

releaser referenced this pull request 2026-06-03 05:50:39 +00:00

chore(release): prepare for 1.6.7 #309

releaser referenced this pull request 2026-06-06 09:50:20 +00:00

chore(release): prepare for 1.6.7 #311

releaser referenced this pull request 2026-06-10 04:24:46 +00:00

chore(release): prepare for 1.6.7 #313

releaser referenced this pull request 2026-06-11 05:57:42 +00:00

chore(release): prepare for 1.6.7 #315

argoyle referenced this issue from a commit 2026-06-11 08:08:09 +00:00

chore(release): prepare for 1.6.7 (#315)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

go

security

Pull requests that address a security vulnerability

severity:moderate

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter (Peter Svensson) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#307