SB2026032052 - openEuler 20.03 LTS SP4 update for golang

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026032052

SB2026032052 - openEuler 20.03 LTS SP4 update for golang

Published: March 20, 2026

Security Bulletin ID SB2026032052
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 60% Medium 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-61726)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the Request.ParseForm method in net/http when parsing a URL-encoded form. A remote attacker can pass an overly large request with a large number of key-value pairs and consume all available memory on the system. 


2) Protection mechanism failure (CVE-ID: CVE-2025-61731)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due CgoPkgConfig allows execution of pkg-config binary with flags that are not explicitly safe-listed. A remote attacker can trick the victim into executing arbitrary commands on the system.


3) Code Injection (CVE-ID: CVE-2025-61732)

The vulnerability allows a remote attacker to inject arbitrary code into the application.

The vulnerability exists due to improper input validation in cmd/cgo caused by discrepancy between how Go and C/C++ comments are parsed. A remote attacker can smuggle code into the resulting cgo binary.


4) Protection mechanism failure (CVE-ID: CVE-2025-68119)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to usage of unsafe options in Go toolchain. On systems with Mercurial installed (hg) downloading modules from non-standard sources can lead to unexpected code execution due to how external VCS are constructed. A remote attacker can trick the victim into downloading and executing arbitrary code on the target system.


5) Improper Certificate Validation (CVE-ID: CVE-2025-68121)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation within HTTP/3 connections. A remote attacker can cause cause a client to resume a session with a server that it would not have resumed with during the initial handshake


Remediation

Install update from vendor's website.

References