This advisory covers six vulnerabilities in the golang packages provided by Red Hat Enterprise Linux 10.0 Extended Update Support. The issues include CVE-2026-27140 (arbitrary code execution via malicious SWIG file names in cmd/go), CVE-2026-27143 (possible memory corruption after bound check elimination in cmd/compile), CVE-2026-27144 (no-op interface conversion bypassing overlap checking in cmd/compile), CVE-2026-32280 (denial of service in certificate chain building in crypto/x509), CVE-2026-32282 (Root.Chmod following symlinks out of root in internal/syscall/unix), and CVE-2026-32283 (denial of service via multiple TLS 1.3 key update messages in crypto/tls). Red Hat has released updated golang packages to address these vulnerabilities.

The vulnerabilities collectively allow for denial of service conditions, potential arbitrary code execution, memory corruption, and security bypasses within the Go compiler and related libraries. Specifically, CVE-2026-27140 enables arbitrary code execution via crafted SWIG file names, which could lead to compromise of systems compiling or running affected code. Denial of service vulnerabilities could disrupt services relying on TLS or certificate validation. The symlink traversal issue could allow unauthorized file permission changes outside intended directories. No known exploits in the wild have been reported at this time.

Red Hat has released updated golang packages for Red Hat Enterprise Linux 10.0 Extended Update Support that address these vulnerabilities. Users should apply the provided security update as detailed in the Red Hat advisory RHSA-2026:16024 and the referenced article https://access.redhat.com/articles/11258. Applying this update will remediate the described security issues. There is no indication that additional mitigation steps are required beyond applying the official patch.