CVE-2026-42501 Malicious module proxy can bypass checksum database in cmd/go

🗓️ 07 May 2026 19:41:19Reported by GoType

vulnrichment

vulnrichment🔗 github.com👁 6 Views

Malicious module proxy can bypass checksum validation in Go toolchain downloads; upgrade base toolchain.

Reporter	Title	Published	Views	Family All 887
ATTACKERKB	CVE-2026-42501	7 May 202619:41	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1743)	27 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : golang, --advisory ALAS2-2026-3313 (ALAS-2026-3313)	27 May 202600:00	–	nessus
Tenable Nessus	Golang 1.25.x < 1.25.10 / 1.26.x < 1.26.3 Multiple Vulnerabilities	15 May 202600:00	–	nessus
Tenable Nessus	SUSE SLED15 / SLES15 Security Update : go1.26 (SUSE-SU-2026:1861-1)	16 May 202600:00	–	nessus
Tenable Nessus	SUSE SLED15 / SLES15 Security Update : go1.25 (SUSE-SU-2026:1862-1)	16 May 202600:00	–	nessus
Tenable Nessus	SUSE SLED15 / SLES15 Security Update : go1.26-openssl (SUSE-SU-2026:2078-1)	29 May 202600:00	–	nessus
Tenable Nessus	SUSE SLED15 / SLES15 Security Update : go1.25-openssl (SUSE-SU-2026:2079-1)	29 May 202600:00	–	nessus
Tenable Nessus	SUSE SLES15 Security Update : go1.26-openssl (SUSE-SU-2026:2092-1)	29 May 202600:00	–	nessus
Tenable Nessus	SUSE SLES15 Security Update : go1.25-openssl (SUSE-SU-2026:2093-1)	29 May 202600:00	–	nessus

Source	Link
pkg	www.pkg.go.dev/vuln/GO-2026-4984
go	www.go.dev/cl/775321
go	www.go.dev/issue/79070
groups	www.groups.google.com/g/golang-announce/c/qcCIEXso47M

07 May 2026 19:41Current

5.8Medium risk

Vulners AI Score5.8

EPSS0.00008

SSVC

malicious proxy checksum validation go toolchain module proxy checksum database untrusted proxy toolchain downloads