Skip to content

fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504#3679

Closed
jkhelil wants to merge 1 commit into
mainfrom
fix/SRVKP-12754-cve-2026-27145-stdlib-main-attempt-1
Closed

fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504#3679
jkhelil wants to merge 1 commit into
mainfrom
fix/SRVKP-12754-cve-2026-27145-stdlib-main-attempt-1

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 8, 2026

Copy link
Copy Markdown
Member

CVE Details

CVE Severity CVSS Component Fixed In
CVE-2026-27145 (GO-2026-5037) Important 7.5 stdlib Go 1.26.4
CVE-2026-42504 (GO-2026-5038) Important 7.5 stdlib Go 1.26.4

These Go runtime vulnerabilities were detected in the pipelines-rhel9-operator container image scan (ROSA-GovCloud compliance monitoring).

Fix Summary

Updates the go directive in go.mod from 1.25.11 to 1.26.4 to pull in the patched Go stdlib runtime.

Change: go.mod: go 1.25.11go 1.26.4

Test Results

Build: go build ./... — PASSED with Go 1.26.4
Unit tests: go test -short ./pkg/... — ALL PASSED (no failures)

go test -count=1 -timeout 300s -short ./pkg/...
...all ok

Breaking Changes

None expected. This is a Go minor version bump (1.25 → 1.26) within a patch release that contains only security fixes for the identified CVEs.

Jira References

SRVKP-12754 — [GovCloud] pipelines-rhel9-operator - 5 CVEs (CRITICAL)

Verification Steps

  • Confirm go.mod declares go 1.26.4
  • Run go build ./... with GOTOOLCHAIN=go1.26.4
  • Run make test locally
  • Verify container image rebuilt from this branch no longer flags CVE-2026-27145 or CVE-2026-42504

Risk Assessment

Risk: Low

  • Single-line change to go directive
  • All existing unit tests pass
  • No API changes — patch-level stdlib security update
  • No changes to vendor/ (go mod vendor unchanged)

Automated fix — reviewed by CVE Fixer Bot

- Update go directive from 1.25.11 to 1.26.4 in go.mod
- Addresses Go runtime vulnerabilities detected in image scan:
  CVE-2026-27145 (GO-2026-5037, CVSS 7.5, Important)
  CVE-2026-42504 (GO-2026-5038, CVSS 7.5, Important)
- Both CVEs are fixed in Go 1.26.4
- Breaking changes: none expected (patch-level stdlib update)

Resolves: SRVKP-12754

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot

Copy link
Copy Markdown
Contributor

@jkhelil: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot requested a review from divyansh42 July 8, 2026 09:04
@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jul 8, 2026
@linux-foundation-easycla

Copy link
Copy Markdown

CLA Missing ID

  • ❌ The email address for the commit (f4f7797) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 8, 2026
@jkhelil jkhelil closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants