Security Patches and Vulnerability Disclosures in Deno, glibc, and Go
Multiple upstream language/runtime and core library projects disclosed and/or patched significant vulnerabilities affecting widely deployed developer and production environments. Deno reported two issues: CVE-2026-22863 (CVSS 9.2) in the node:crypto compatibility layer where cipher.final() fails to properly finalize/close cipher state, enabling “infinite encryptions” that could aid attacks aimed at learning server secrets; and CVE-2026-22864, a Windows-specific command execution weakness involving a bypass in Deno.Command protections when executing batch files, undermining intended shell-injection safeguards.
glibc maintainers disclosed CVE-2026-0861 (CVSS 8.4), an integer overflow in memalign, posix_memalign, and aligned_alloc affecting versions 2.30–2.42 that can lead to heap corruption when an attacker can control unusually large size values and alignment parameters, and CVE-2026-0915, a decades-old information leak in getnetbyaddr/getnetbyaddr_r affecting versions 2.0–2.42 that can expose uninitialized stack contents to DNS backends when querying a zero-valued network. Separately, the Go team released security updates (Go 1.25.6 and 1.24.12) addressing six vulnerabilities across the standard library (e.g., archive/zip, net/http, crypto/tls) and the toolchain, including a ZIP-processing CPU-exhaustion DoS (CVE-2025-61728) and toolchain issues that could enable command execution in certain developer/build scenarios; organizations running Go services or CI/build pipelines were advised to upgrade to the patched releases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Go releases 1.26.3 and 1.25.10 with 11 security fixes
The Go team released Go 1.26.3 and Go 1.25.10 to fix 11 vulnerabilities across cmd/go, net/http, net, net/mail, and html/template. The most serious issue, CVE-2026-42501, allowed a malicious module proxy or checksum database to bypass checksum validation, potentially leading to altered modules or Go toolchains being downloaded and executed; other fixes addressed denial-of-service, path and symlink handling, HTTP/2 looping, Windows panics, DNS resolver crashes, and multiple XSS bypasses.
Go releases 1.26.2 and 1.25.9 with 10 security fixes
The Go team released Go 1.26.2 and Go 1.25.9 to address 10 vulnerabilities across standard library and toolchain components including os, html/template, crypto/x509, crypto/tls, archive/tar, cmd/compile, and cmd/go. The fixes cover issues such as symlink traversal, XSS, certificate validation and TLS flaws, denial-of-service, memory corruption, and possible arbitrary code execution during build time via cgo and SWIG.
Deno vulnerabilities disclosed affecting crypto and Windows command execution
Two Deno flaws were disclosed: CVE-2026-22863 in the Node.js compatibility crypto layer, which can leave ciphers effectively open and risk secret exposure, and CVE-2026-22864, a Windows-specific Deno.Command bypass that can enable arbitrary code execution. Researchers published proof-of-concept details, and users were advised to upgrade to Deno v2.6.0 or later.
glibc discloses heap corruption and information leak vulnerabilities
glibc maintainers disclosed CVE-2026-0861, an integer overflow in memalign-related functions that can lead to heap corruption, and CVE-2026-0915, a long-standing information leak in getnetbyaddr/getnetbyaddr_r that may expose stack contents to a DNS resolver. Administrators were advised to review distribution-specific exposure and apply patches.
Go releases 1.25.6 and 1.24.12 to fix six security flaws
The Go team issued security updates Go 1.25.6 and Go 1.24.12 addressing six vulnerabilities, including denial-of-service, TLS session and handshake weaknesses, and cmd/go toolchain issues that could enable arbitrary code execution in some build environments. The fixes were delivered through Go’s scheduled PRIVATE-track minor release process.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
oss-sec: Go 1.26.3 and Go 1.25.10 are released with 11 security fixes
seclists.org
Open sourceoss-sec: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes
seclists.org
Open sourceoss-sec: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes
seclists.org
Open sourceoss-sec: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes
seclists.org
Open source[security] Go 1.26.2 and Go 1.25.9 are released
groups.google.com
Open sourceCritical Deno Flaws Risk Secrets (CVE-2026-22863) & Execution (CVE-2026-22864)
securityonline.info
Open sourceDecades-Old Flaw & New Heap Corruption: Critical glibc Bugs Revealed
securityonline.info
Open sourceGo Programming Language 1.26 Patches Several Security Flaws - TechRepublic
techrepublic.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denial-of-Service Flaws Disclosed in Golang Go and Go `sys` Components
German CERT advisories disclosed denial-of-service vulnerabilities affecting **Golang Go** and the **Go `sys`** component. The notices identify two separate issues, tracked as dCERT advisories `2025-2420` and `2026-1635`, with both describing flaws that could allow an attacker to disrupt availability rather than achieve code execution or privilege escalation. The advisories provide limited public detail, but the impact is clear: organizations using affected Go runtimes or the `golang.org/x/sys` package should review vendor guidance, identify exposed services and dependent applications, and prioritize updates or mitigations to reduce the risk of service interruption. The disclosures highlight continued availability risk in widely used Go software components that may be embedded across internal tools, cloud services, and third-party products.
May 26, 2026
Node.js patches high-severity DoS flaws in TLS and HTTP request handling
Node.js released security updates for supported 20.x, 22.x, 24.x, and 25.x branches to fix **two high-severity**, **five medium-severity**, and **two low-severity** vulnerabilities, with patched versions issued as `v20.20.2`, `v22.22.2`, `v24.14.1`, and `v25.8.2`. The most serious bug, `CVE-2026-21637`, was an incomplete fix in TLS `SNICallback` handling that could be triggered remotely to cause an uncaught exception and crash affected processes. A second high-severity issue, `CVE-2026-21710`, allowed specially crafted HTTP requests using a `__proto__` header name to trigger a denial of service when applications accessed `req.headersDistinct`. The release also addressed Permission Model bypasses, a native crash in URL formatting, a timing side-channel in HMAC verification, an HTTP/2 flow-control memory leak that could lead to memory exhaustion, and a V8 **HashDoS** weakness; Node.js also updated the `undici` dependency on 22.x, 24.x, and 25.x to remediate public vulnerabilities. Debian published a corresponding `nodejs` security update, and the Canadian Centre for Cyber Security urged administrators to review vendor guidance and apply the patched releases, with internet-facing TLS servers identified as the highest-priority systems for remediation.
Jun 10, 2026
Node.js Patches 12 Flaws Including TLS Authentication Bypass and WebCrypto DoS
The Node.js project released security updates across its supported `22.x`, `24.x`, and `26.x` lines to fix 12 vulnerabilities, including two high-severity issues that prompted calls for immediate patching. The most serious bugs are **CVE-2026-48618**, a TLS hostname verification flaw caused by improper handling of Unicode dot separators that can lead to authentication bypass, and **CVE-2026-48933**, a WebCrypto AES integer overflow that can crash processes and enable remote denial-of-service. The releases were announced for all active Node.js lines through the project’s coordinated June security update process and public notices on the `oss-sec` mailing list.
Jun 22, 2026