What versions of Go are affected by these vulnerabilities?

The vulnerabilities affect Go versions prior to 1.25.6 and 1.24.12.

How do the memory exhaustion vulnerabilities work?

Attackers can use crafted ZIP archives or HTTP forms with excessive key-value pairs to force the system to use too much memory or CPU, causing a denial-of-service.

Can these vulnerabilities lead to remote code execution?

Yes, CVE-2025-61731 and CVE-2025-68119 allow for arbitrary code execution through the Cgo tool and VCS integration flaws.

What is the risk associated with the TLS vulnerabilities?

The TLS flaws can lead to unauthorized session resumption, failure to verify certificate expiration, and potential information leaks to local network attackers.

How should I fix these security issues?

You must upgrade your Go installation to version 1.25.6 or 1.24.12 and recompile your applications to include the security fixes.

Advisory

Go Language Releases Security Patches for Multiple DoS and Memory Exhaustion Flaws

published: Jan. 17, 2026

Take action: There are multiple flaws in Go language that may affect your applications. Check the advisory and update your Go toolchain to version 1.25.6 or 1.24.12. Then rebuild all production binaries using the updated versions.

Learn More

The Go programming language team released security updates for versions 1.25.6 and 1.24.12 to address six vulnerabilities. These flaws allow attackers to trigger denial-of-service (DoS) states, leak sensitive data, or execute arbitrary code.

Vulnerabilities causing DoS/ system crashes through resource exhaustion:

CVE-2025-61728 (CVSS score 9.1) - Super-linear file name indexing in ZIP archives causing computational exhaustion. A flaw in the archive/zip package uses a slow indexing algorithm that attackers can trigger with specially crafted ZIP files.
CVE-2025-61726 (CVSS score 9.1) - Excessive memory allocation in net/http during form parsing. Affects the HTTP package when parsing URL-encoded forms. Attackers can send forms with a high number of keys to force the server to allocate excessive memory, leading to a crash.

Data leak flaws:

CVE-2025-68121 (CVSS score 9.1) - Improper session ticket key handling in TLS configuration cloning. Leaks session ticket keys when cloning configurations, which could allow attackers to resume sessions without proper authorization.
CVE-2025-61730 (CVSS score 9.1) - Handshake message processing at incorrect encryption levels. Allows handshake messages to be processed at incorrect encryption levels, potentially exposing data to attackers on the same local network.

Arbitrary code execution (RCE) on developer machines or build servers:

CVE-2025-61731 (CVSS score 9.1) - Bypass of compiler flag sanitization in CgoPkgConfig. The Cgo tool fails to sanitize compiler flags, allowing attackers to run the pkg-config tool with malicious parameters.
CVE-2025-68119 (CVSS score 9.1) - Arbitrary code execution via malicious VCS version strings in the Go toolchain. The Go toolchain’s integration with version control systems like Git and Mercurial contained a flaw. Attackers could use malicious version strings or non-standard sources to execute commands when a developer downloads or builds a module.

Organizations should download the latest binaries from the official Go download page. Because these flaws exist in the standard library, simply updating the toolchain is not enough; all existing Go applications must be recompiled using the patched versions to ensure they are no longer vulnerable to these exploits.

Go Language Releases Security Patches for Multiple DoS and Memory Exhaustion Flaws

Read More
CISA Reports Actively Exploited VMware ESXi Flaw in …
Critical remote code execution flaw reported in Apache …
JetBrains TeamCity vulnerability exploited by state sponsored hackers
Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited Within Hours
Critical Google Cloud Dataform path traversal flaw enables …