chore(deps): update go toolchain directive to v1.26.4 [security] - autoclosed #433

Closed

renovate wants to merge 1 commits from renovate/golang-version-go-vulnerability into main

pull from: renovate/golang-version-go-vulnerability

merge into: unboundsoftware:main

unboundsoftware:main

unboundsoftware:renovate/actions-checkout-7.x

Conversation 0 Commits 1 Files Changed 1

+1 -1

renovate commented 2026-06-03 01:22:03 +00:00

Owner

Copy Link

Copy Source

This PR contains the following updates:

Package	Type	Update	Change
go (source)	toolchain	patch	1.26.3 → 1.26.4

---

Inefficient candidate hostname parsing in crypto/x509

CVE-2026-27145 / GO-2026-5037

More information

Details

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Severity

Unknown

References

• https://go.dev/cl/783621
• https://go.dev/issue/79694
• https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Quadratic complexity in WordDecoder.DecodeHeader in mime

CVE-2026-42504 / GO-2026-5038

More information

Details

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Severity

Unknown

References

• https://go.dev/issue/79217
• https://go.dev/cl/774481
• https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Arbitrary inputs are included in errors without any escaping in net/textproto

CVE-2026-42507 / GO-2026-5039

More information

Details

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Severity

Unknown

References

• https://go.dev/issue/79346
• https://go.dev/cl/777060
• https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://github.com/golang/go)) | toolchain | patch | `1.26.3` → `1.26.4` | --- ### Inefficient candidate hostname parsing in crypto/x509 [CVE-2026-27145](https://nvd.nist.gov/vuln/detail/CVE-2026-27145) / [GO-2026-5037](https://pkg.go.dev/vuln/GO-2026-5037) <details> <summary>More information</summary> #### Details (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. #### Severity Unknown #### References - [https://go.dev/cl/783621](https://go.dev/cl/783621) - [https://go.dev/issue/79694](https://go.dev/issue/79694) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5037) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Quadratic complexity in WordDecoder.DecodeHeader in mime [CVE-2026-42504](https://nvd.nist.gov/vuln/detail/CVE-2026-42504) / [GO-2026-5038](https://pkg.go.dev/vuln/GO-2026-5038) <details> <summary>More information</summary> #### Details Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. #### Severity Unknown #### References - [https://go.dev/issue/79217](https://go.dev/issue/79217) - [https://go.dev/cl/774481](https://go.dev/cl/774481) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5038) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Arbitrary inputs are included in errors without any escaping in net/textproto [CVE-2026-42507](https://nvd.nist.gov/vuln/detail/CVE-2026-42507) / [GO-2026-5039](https://pkg.go.dev/vuln/GO-2026-5039) <details> <summary>More information</summary> #### Details When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. #### Severity Unknown #### References - [https://go.dev/issue/79346](https://go.dev/issue/79346) - [https://go.dev/cl/777060](https://go.dev/cl/777060) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5039) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

renovate added 1 commit 2026-06-03 01:22:05 +00:00

chore(deps): update go toolchain directive to v1.26.4 [security] 57d6170be7

renovate scheduled this pull request to auto merge when all checks succeed 2026-06-03 01:22:07 +00:00

renovate changed title from chore(deps): update go toolchain directive to v1.26.4 [security] to chore(deps): update go toolchain directive to v1.26.4 [security] - autoclosed 2026-06-04 13:05:29 +00:00

renovate closed this pull request 2026-06-04 13:05:30 +00:00

Some required checks failed

Hide all checks

gitlab-cleanup-handler / test (pull_request) Successful in 1m54s

Required

Details

gitlab-cleanup-handler / vulnerabilities (pull_request) Failing after 1m58s

Required

Details

gitlab-cleanup-handler / build (pull_request) Has been skipped

Required

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

go

security

Pull requests that address a security vulnerability

severity:moderate

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: unboundsoftware/gitlab-cleanup-handler#433