Go package builder vulnerability: memory exhaustion from URL parsing

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Go package builder vulnerability: memory exhaustion from URL parsing

ALSA-2026:3669

Summary

A security update is available for a package used to build Go language packages. This update fixes a bug that could cause memory problems when processing URLs. If you use Go package builder, apply the update to ensure your system remains secure.

What to do

Update almalinux go-filesystem to version 3.6.0-7.el10_1.
Update almalinux go-rpm-macros to version 3.6.0-7.el10_1.
Update almalinux go-rpm-templates to version 3.6.0-7.el10_1.
Update almalinux go-srpm-macros to version 3.6.0-7.el10_1.

Affected software

Vendor	Product	Affected versions	Fix available
almalinux	go-filesystem	<= 3.6.0-7.el10_1	3.6.0-7.el10_1
almalinux	go-rpm-macros	<= 3.6.0-7.el10_1	3.6.0-7.el10_1
almalinux	go-rpm-templates	<= 3.6.0-7.el10_1	3.6.0-7.el10_1
almalinux	go-srpm-macros	<= 3.6.0-7.el10_1	3.6.0-7.el10_1

Original title

Important: go-rpm-macros security update

Original description

This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.

Security Fix(es):

* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

https://access.redhat.com/errata/RHSA-2026:3669 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-61726 Third Party Advisory
https://bugzilla.redhat.com/2434432 Third Party Advisory
https://errata.almalinux.org/10/ALSA-2026-3669.html Vendor Advisory

Published: 3 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026