Skip to content

fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504 (operator-webhook)#3680

Closed
jkhelil wants to merge 1 commit into
mainfrom
fix/SRVKP-12762-cve-2026-27145-stdlib-main-attempt-1
Closed

fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504 (operator-webhook)#3680
jkhelil wants to merge 1 commit into
mainfrom
fix/SRVKP-12762-cve-2026-27145-stdlib-main-attempt-1

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 8, 2026

Copy link
Copy Markdown
Member

CVE Details

CVE Severity CVSS Component Fixed In
CVE-2026-27145 (GO-2026-5037) Important 7.5 stdlib Go 1.26.4
CVE-2026-42504 (GO-2026-5038) Important 7.5 stdlib Go 1.26.4

Detected in the pipelines-operator-webhook-rhel9 container image scan (ROSA-GovCloud compliance monitoring).

Fix Summary

Updates the go directive in go.mod from 1.25.11 to 1.26.4 to pull in the patched Go stdlib runtime.

Change: go.mod: go 1.25.11go 1.26.4

Test Results

Build: go build ./... — PASSED with Go 1.26.4
Unit tests: go test -short ./pkg/... — ALL PASSED
go mod verify — all modules verified

Breaking Changes

None expected. Patch-level stdlib security update within Go 1.26.x.

Jira References

SRVKP-12762 — [GovCloud] pipelines-operator-webhook-rhel9 - 4 CVEs (CRITICAL)

Verification Steps

  • Confirm go.mod declares go 1.26.4
  • Run make test locally
  • Verify container image rebuilt from this branch no longer flags CVE-2026-27145 or CVE-2026-42504

Risk Assessment

Risk: Low — Single-line change to go directive, all tests pass, no API changes.


Automated fix — reviewed by CVE Fixer Bot

- Update go directive from 1.25.11 to 1.26.4 in go.mod
- Addresses Go runtime vulnerabilities in pipelines-operator-webhook-rhel9:
  CVE-2026-27145 (GO-2026-5037, CVSS 7.5, Important)
  CVE-2026-42504 (GO-2026-5038, CVSS 7.5, Important)
- Both CVEs are fixed in Go 1.26.4

Resolves: SRVKP-12762

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot

Copy link
Copy Markdown
Contributor

@jkhelil: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot requested review from khrm and pratap0007 July 8, 2026 09:05
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jul 8, 2026
@linux-foundation-easycla

Copy link
Copy Markdown

CLA Missing ID

  • ❌ The email address for the commit (fdedc68) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 8, 2026
@jkhelil jkhelil closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants