This advisory covers six distinct vulnerabilities in the golang packages for Red Hat Enterprise Linux 9.6 EUS. The issues include CVE-2026-27140 (arbitrary code execution via malicious SWIG file names in cmd/go), CVE-2026-27143 (possible memory corruption after bound check elimination in cmd/compile), CVE-2026-27144 (no-op interface conversion bypassing overlap checking in cmd/compile), CVE-2026-32280 (denial of service in certificate chain building in crypto/x509), CVE-2026-32282 (Root.Chmod following symlinks out of root in internal/syscall/unix), and CVE-2026-32283 (denial of service via multiple TLS 1.3 key update messages in crypto/tls). These vulnerabilities impact the Go compiler and runtime components distributed by Red Hat. The advisory provides updated golang packages to remediate these issues.

The vulnerabilities collectively allow for arbitrary code execution, denial of service conditions, memory corruption, and potential privilege escalation via symlink traversal. Specifically, CVE-2026-27140 enables arbitrary code execution through crafted SWIG file names, which could lead to compromise of systems running affected golang versions. Denial of service vulnerabilities in TLS and certificate chain processing could disrupt secure communications. Memory corruption and interface conversion issues may cause instability or unexpected behavior in compiled Go programs. These impacts affect systems using the affected golang packages on Red Hat Enterprise Linux 9.6 EUS and related platforms.

Red Hat has released updated golang packages that address all listed vulnerabilities. Users of affected Red Hat Enterprise Linux 9.6 Extended Update Support and related variants should apply the provided security update as detailed in Red Hat advisory RHSA-2026:16021 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. No additional vendor guidance indicates that further action is required beyond updating to the fixed packages.