Skip to content

[release-2.8] Bump Go toolchain to 1.26.3 and x/net to v0.54.0 (Snyk findings)#2439

Merged
c-julin merged 2 commits into
release-2.8from
tb/snyk-go-1.26.3-release-2.8
May 11, 2026
Merged

[release-2.8] Bump Go toolchain to 1.26.3 and x/net to v0.54.0 (Snyk findings)#2439
c-julin merged 2 commits into
release-2.8from
tb/snyk-go-1.26.3-release-2.8

Conversation

@twmb

@twmb twmb commented May 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport to release-2.8: bump backend Go toolchain from 1.26.1 -> 1.26.3 and golang.org/x/net from 0.52.0 -> 0.54.0 to clear HIGH Snyk stdlib findings.

Fixes:

  • CVE-2026-33811 Double Free in std/net (GO-2026-4981, SNYK-GOLANG-STDNET-16535159)
  • CVE-2026-39836 Uncaught Exception in std/net (GO-2026-4971, SNYK-GOLANG-STDNET-16535161)
  • CVE-2026-33814 Infinite loop in std/net/http (GO-2026-4918, SNYK-GOLANG-STDNETHTTP-16535158)
  • CVE-2026-33814 Infinite loop in golang.org/x/net/http2 (x/net -> 0.54.0)

Companion PR for master: #2438

Test plan

  • CI green on release-2.8 (build, lint, unit, integration)
  • Snyk re-scan on release-2.8 no longer flags the four advisories above

twmb added 2 commits May 10, 2026 15:39
- CVE-2026-33811 Double Free in std/net (GO-2026-4981)
- CVE-2026-39836 Uncaught Exception in std/net (GO-2026-4971)
- CVE-2026-33814 Infinite loop in std/net/http (GO-2026-4918)
- CVE-2026-33814 Infinite loop in golang.org/x/net/http2 (x/net -> 0.54.0)
@weeco

weeco commented May 11, 2026

Copy link
Copy Markdown
Contributor

needs updating of the linter version

@c-julin

c-julin commented May 11, 2026

Copy link
Copy Markdown
Contributor

That would mean updating the golint yaml on this branch, and then fixing all our lint errors, this is now just maintenance updates.

@c-julin c-julin merged commit 12a99ea into release-2.8 May 11, 2026
3 of 5 checks passed
@c-julin c-julin deleted the tb/snyk-go-1.26.3-release-2.8 branch May 11, 2026 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants