Go 1.26.1 Fixes Five Security Vulnerabilities Including Certificate Verification Panics
The Go team has released Go 1.26.1 and Go 1.25.8 with patches for five security vulnerabilities spanning crypto/x509, html/template, net/url, and os packages. Two critical certificate verification bugs can cause incorrect email constraint enforcement and verification panics that crash TLS-dependent services.
The Go team has released Go 1.26.1 and Go 1.25.8, patching five security vulnerabilities that span the crypto/x509, html/template, net/url, and os packages. Two of the five bugs affect certificate verification in the crypto/x509 package and could crash production services or allow unauthorized access to TLS-protected resources.
Certificate Verification Bugs
CVE-2026-27137 is a logic error in how email name constraints are enforced during certificate verification. When a certificate's Name Constraints extension specifies multiple email address restrictions, Go's Certificate.Verify function only checks the last constraint in the list — silently ignoring all previous ones. This means a certificate that should be rejected because it violates an email constraint could be incorrectly accepted if it satisfies only the final constraint in the list.
CVE-2026-27138 is more immediately dangerous: when a certificate contains an empty DNS name in its excluded name constraints, the verification function panics with a nil pointer dereference. Any Go program that calls Certificate.Verify on such a certificate — including TLS servers that validate client certificates — will crash. Since the malicious certificate can be sent by any connecting client, this is effectively a remote denial-of-service vulnerability against any Go service using mutual TLS.
Both crypto/x509 bugs were introduced in Go 1.26 and do not affect Go 1.25 or earlier.
Additional Fixes
The html/template package receives a fix for a cross-site scripting risk when rendering URL values inside meta http-equiv="refresh" tags. The net/url package tightens URL parsing to reject inputs that were previously accepted but technically malformed. The os package fixes a metadata handling issue in directory listings that could allow file system root escapes under specific conditions.
Go 1.25.8 includes patches for three of the five vulnerabilities — the html/template, net/url, and os fixes. Organizations running Go 1.26 should upgrade to 1.26.1 immediately due to the severity of the certificate verification bugs.
Related Articles
Redis 8.4 Brings Hybrid Search, Atomic Multi-Key Operations, and Auto-Repair AOF
Redis 8.4 is now generally available, delivering hybrid search that combines full-text and vector queries using Reciprocal Rank Fusion, new atomic string commands like MSETEX and DELEX, and automatic repair for corrupted append-only files. Lookahead prefetching and JSON memory optimizations round out a performance-focused release.
Deno 2.7 Stabilizes Temporal API and Ships Native Windows ARM Builds
Deno 2.7 has stabilized the TC39 Temporal API, bringing immutable, timezone-aware date and time objects to replace the legacy JavaScript Date API. The release also delivers official Windows ARM builds for Surface and Snapdragon devices, npm overrides support, and global install compilation for standalone executables.
Laravel 13 Ships with PHP Attributes, Passkeys, and Zero Breaking Changes
Taylor Otwell unveiled Laravel 13 at Laracon EU, delivering PHP 8 Attributes as an alternative to class properties, built-in passkey authentication in starter kits, and a new Reverb database driver for horizontal WebSocket scaling. The release requires PHP 8.3+ and promises the smoothest upgrade path in Laravel history.