ROOT-APP-GOBINARY-CVE-2026-42306 CVE-2026-42306 in rootio-github.com/docker/docker - Patched by Root

Root has patched CVE-2026-42306 in the rootio-github.com/docker/docker package for Root:Go. Multiple fixed versions available...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

ROOT-APP-GOBINARY-GHSA-FW8G-CG8F-9J28 GHSA-fw8g-cg8f-9j28 in rootio-github.com/prometheus/prometheus - Patched by Root

Root has patched GHSA-fw8g-cg8f-9j28 in the rootio-github.com/prometheus/prometheus package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-22870 CVE-2025-22870 in rootio-golang.org/x/net - Patched by Root

Root has patched CVE-2025-22870 in the rootio-golang.org/x/net package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-29181 CVE-2026-29181 in rootio-go.opentelemetry.io/otel - Patched by Root

Root has patched CVE-2026-29181 in the rootio-go.opentelemetry.io/otel package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-58181 CVE-2025-58181 in rootio-golang.org/x/crypto - Patched by Root

Root has patched CVE-2025-58181 in the rootio-golang.org/x/crypto package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-27889 CVE-2026-27889 in rootio-github.com/nats-io/nats-server/v2 - Patched by Root

Root has patched CVE-2026-27889 in the rootio-github.com/nats-io/nats-server/v2 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-35469 CVE-2026-35469 in rootio-github.com/moby/spdystream - Patched by Root

Root has patched CVE-2026-35469 in the rootio-github.com/moby/spdystream package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-30204 CVE-2025-30204 in rootio-github.com/golang-jwt/jwt/v4 - Patched by Root

Root has patched CVE-2025-30204 in the rootio-github.com/golang-jwt/jwt/v4 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-32286 CVE-2026-32286 in rootio-github.com/jackc/pgproto3/v2 - Patched by Root

Root has patched CVE-2026-32286 in the rootio-github.com/jackc/pgproto3/v2 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-32285 CVE-2026-32285 in rootio-github.com/buger/jsonparser - Patched by Root

Root has patched CVE-2026-32285 in the rootio-github.com/buger/jsonparser package for Root:Go. Multiple fixed versions available...

UBUNTU-CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

UBUNTU-CVE-2026-41178

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

Improper Authentication

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Improper Authentication due to the Verify method not checking the User Presence flag in FIDO/U2F security key types. An attacker can perform unauthorized authentication by generating...

GO-2026-5023 Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

GO-2026-5016 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for...

crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building

A flaw was found in the Go standard library packages crypto/x509 and crypto/tls. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...