Skip to content

fix(cve): CVE-2026-42499, CVE-2026-39820 - update Go 1.25.9 to 1.25.10 [release-v0.42.2]#2921

Open
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/SRVKP-12511-SRVKP-12514-cve-2026-42499-cve-2026-39820-stdlib-release-v0.42.2-attempt-1
Open

fix(cve): CVE-2026-42499, CVE-2026-39820 - update Go 1.25.9 to 1.25.10 [release-v0.42.2]#2921
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/SRVKP-12511-SRVKP-12514-cve-2026-42499-cve-2026-39820-stdlib-release-v0.42.2-attempt-1

Conversation

@divyansh42

@divyansh42 divyansh42 commented Jun 23, 2026

Copy link
Copy Markdown
Member

CVE Details

Field CVE-2026-42499 CVE-2026-39820
CVE ID CVE-2026-42499 CVE-2026-39820
Go ID GO-2026-4977 GO-2026-4986
Severity TBD (DoS) TBD (DoS)
Component net/mail (stdlib) net/mail (stdlib)
Affected Go < 1.25.10 Go < 1.25.10
Fixed Go 1.25.10 Go 1.25.10

Description

  • CVE-2026-42499: Quadratic string concatenation in consumePhrase in net/mail. Pathological inputs could cause DoS when parsing email addresses according to RFC 5322.
  • CVE-2026-39820: Quadratic string concatenation in consumeComment in net/mail. Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate could trigger excessive CPU exhaustion and memory allocations.

Fix Summary

Updated go directive in go.mod from 1.25.9 to 1.25.10. This is a Go stdlib patch release that includes the security fixes for both CVEs. No vendor directory changes were required (stdlib fix only).

Test Results

Status: ✅ PASSED

Command: GOTOOLCHAIN=go1.25.10 go test -mod=vendor -count=1 ./...
Result: All packages PASSED

All unit tests passed with the updated Go version.

Breaking Changes

None. This is a patch-level stdlib update (1.25.9 → 1.25.10) with no API changes.

Jira References

SRVKP-12511
SRVKP-12514

Verification Steps

  • go version in the build environment matches 1.25.10 or higher
  • govulncheck -scan package ./... no longer reports GO-2026-4977 or GO-2026-4986
  • All unit tests pass: go test -mod=vendor ./...

Risk Assessment

Low — Patch-level Go version bump. Fixes two DoS vulnerabilities in net/mail. The tkn CLI does not directly call net/mail functions but benefits from the updated stdlib in case of transitive use. All tests pass.

@divyansh42
fix(cve): CVE-2026-42499, CVE-2026-39820 - update Go 1.25.9 to 1.25.10
48f92c5 
- Update Go stdlib from 1.25.9 to 1.25.10
- Addresses CVE-2026-42499: Quadratic string concatenation in consumePhrase in net/mail
- Addresses CVE-2026-39820: Quadratic string concatenation in consumeComment in net/mail
- Both vulnerabilities allow DoS via pathological email address inputs

Resolves: SRVKP-12511, SRVKP-12514

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot

tekton-robot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

@divyansh42: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 23, 2026
@tekton-robot

tekton-robot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vdemeester after the PR has been reviewed.
You can assign the PR to them by writing /assign @vdemeester in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@piyush-garg piyush-garg Awaiting requested review from piyush-garg

@pratap0007 pratap0007 Awaiting requested review from pratap0007

@vdemeester vdemeester Awaiting requested review from vdemeester

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot