An update for golang is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1702 Final 1.0 1.0 2026-03-20 Initial 2026-03-20 2026-03-20 openEuler SA Tool V1.0 2026-03-20 golang security update An update for golang is now available for openEuler-24.03-LTS The Go Programming Language. Security Fix(es): The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.(CVE-2025-61726) archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.(CVE-2025-61728) Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.(CVE-2025-61731) A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.(CVE-2025-61732) Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.(CVE-2025-68119) During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.(CVE-2025-68121) An update for golang is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical golang https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61726 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61728 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61731 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61732 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-68119 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-68121 https://nvd.nist.gov/vuln/detail/CVE-2025-61726 https://nvd.nist.gov/vuln/detail/CVE-2025-61728 https://nvd.nist.gov/vuln/detail/CVE-2025-61731 https://nvd.nist.gov/vuln/detail/CVE-2025-61732 https://nvd.nist.gov/vuln/detail/CVE-2025-68119 https://nvd.nist.gov/vuln/detail/CVE-2025-68121 openEuler-24.03-LTS golang-1.21.4-42.oe2403.aarch64.rpm golang-1.21.4-42.oe2403.src.rpm golang-1.21.4-42.oe2403.x86_64.rpm golang-devel-1.21.4-42.oe2403.noarch.rpm golang-help-1.21.4-42.oe2403.noarch.rpm The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. 2026-03-20 CVE-2025-61726 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H golang security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702 archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. 2026-03-20 CVE-2025-61728 openEuler-24.03-LTS Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H golang security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702 Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. 2026-03-20 CVE-2025-61731 openEuler-24.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H golang security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702 A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. 2026-03-20 CVE-2025-61732 openEuler-24.03-LTS High 8.6 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H golang security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702 Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. 2026-03-20 CVE-2025-68119 openEuler-24.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H golang security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. 2026-03-20 CVE-2025-68121 openEuler-24.03-LTS Critical 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H golang security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1702