This advisory covers six distinct vulnerabilities in the golang packages for Red Hat Enterprise Linux 9. The issues include CVE-2026-27140 (arbitrary code execution via malicious SWIG file names in cmd/go), CVE-2026-27143 (possible memory corruption after bound check elimination in cmd/compile), CVE-2026-27144 (no-op interface conversion bypassing overlap checking in cmd/compile), CVE-2026-32280 (denial of service in certificate chain building in crypto/x509 and crypto/tls), CVE-2026-32282 (Root.Chmod following symlinks out of root in internal/syscall/unix), and CVE-2026-32283 (denial of service via multiple TLS 1.3 key update messages in crypto/tls). Red Hat has issued an update to golang version 1.25.9-1.el9_7 that addresses these vulnerabilities. The advisory references Red Hat's errata RHSA-2026:10219 and provides links for applying the update.

The vulnerabilities collectively allow for potential arbitrary code execution, denial of service conditions, memory corruption, and unintended file system access via symlink traversal. These impacts could affect the security and stability of systems running vulnerable versions of golang on Red Hat Enterprise Linux 9. No known exploits in the wild have been reported at this time.

Red Hat has released an official security update for golang (version 1.25.9-1.el9_7) that addresses all listed vulnerabilities. Users of affected Red Hat Enterprise Linux 9 versions should apply this update promptly following Red Hat's published guidance at https://access.redhat.com/articles/11258. No additional mitigations are indicated by the vendor advisory. Patch status is confirmed as available via this update.