Debian Golang-1.24 vulnerabilities

CVE-2026-27143 [CRITICAL] CVE-2026-27143: golang-1.15 - Arithmetic over induction variables in loops were not correctly checked for unde... Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. Scope: local bullseye: open

CVE-2026-32280 [HIGH] CVE-2026-32280: golang-1.15 - During chain building, the amount of work that is done is not correctly limited ... During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Scope: local bullseye: open

CVE-2026-32281 [HIGH] CVE-2026-32281: golang-1.15 - Validating certificate chains which use policies is unexpectedly inefficient whe... Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Scope: loc

CVE-2026-32283 [HIGH] CVE-2026-32283: golang-1.15 - If one side of the TLS connection sends multiple key update messages post-handsh... If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Scope: local bullseye: open

CVE-2026-27140 [HIGH] CVE-2026-27140: golang-1.15 - SWIG file names containing 'cgo' and well-crafted payloads could lead to code sm... SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. Scope: local bullseye: open

CVE-2026-27144 [HIGH] CVE-2026-27144: golang-1.15 - The compiler is meant to unwrap pointers which are the operands of a memory move... The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime. Scope: local bullseye: open

CVE-2026-32282 [MEDIUM] CVE-2026-32282: golang-1.15 - On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod... On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before act

CVE-2026-32288 [MEDIUM] CVE-2026-32288: golang-1.15 - tar.Reader can allocate an unbounded amount of memory when reading a maliciously... tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Scope: local bullseye: open

CVE-2026-27142 [MEDIUM] CVE-2026-27142: golang-1.15 - Actions which insert URLs into the content attribute of HTML meta tags are not e... Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting h

CVE-2026-32289 [MEDIUM] CVE-2026-32289: golang-1.15 - Context was not properly tracked across template branches for JS template litera... Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals

CVE-2026-27139 [LOW] CVE-2026-27139: golang-1.15 - On Unix platforms, when listing the contents of a directory using File.ReadDir o... On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the r

CVE-2026-25679 [HIGH] CVE-2026-25679: golang-1.15 - url.Parse insufficiently validated the host/authority component and accepted som... url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Scope: local bullseye: resolved

CVE-2026-27138 [MEDIUM] CVE-2026-27138: golang-1.15 - Certificate verification can panic when a certificate in the chain has an empty ... Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS. Scope: local bullseye: resolved

CVE-2026-27137 [HIGH] CVE-2026-27137: golang-1.15 - When verifying a certificate chain which contains a certificate containing multi... When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered. Scope: local bullseye: resolved

CVE-2026-33810 [HIGH] CVE-2026-33810: golang-1.15 - When verifying a certificate chain containing excluded DNS constraints, these co... When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Scope: local bull

CVE-2025-22871 [CRITICAL] CVE-2025-22871: golang-1.15 - The net/http package improperly accepts a bare LF as a line terminator in chunke... The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Scope: local bullseye: open

CVE-2025-68121 [CRITICAL] CVE-2025-68121: golang-1.15 - During session resumption in crypto/tls, if the underlying Config has its Client... During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a

CVE-2025-61725 [HIGH] CVE-2025-61725: golang-1.15 - The ParseAddress function constructs domain-literal address components through r... The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Scope: local bullseye: open

CVE-2025-58187 [HIGH] CVE-2025-58187: golang-1.15 - Due to the design of the name constraint checking algorithm, the processing time... Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Scope: local bullseye: open

CVE-2025-68119 [HIGH] CVE-2025-68119: golang-1.15 - Downloading and building modules with malicious version strings can cause local ... Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version strin