Go 1.26.4
Go 1.26.4 has been released — a security-focused point release that patches three vulnerabilities in the standard library and delivers bug fixes to the compiler and runtime.
Security Fixes
The Go team rolled out version 1.26.4 on June 2, 2026, addressing three CVEs:
- CVE-2026-42504 — A denial-of-service vulnerability in the
crypto/x509package caused by inefficient certificate chain validation. An attacker could craft a certificate chain that triggers excessive CPU consumption. - CVE-2026-42507 — A quadratic complexity issue in the
mimepackage'sWordDecoder, allowing a small malicious input to cause disproportionately high processing time. - CVE-2026-... — A third fix in
net/textprotoaddressing a similar algorithmic complexity issue in header parsing.
These are the kind of vulnerabilities that matter most to production services — they're not about data corruption, but about operational resilience under adversarial inputs.
Bug Fixes and Improvements
Beyond the security patches, Go 1.26.4 includes a collection of bug fixes backported from the development branch:
- Compiler: Fixed an edge case where generic type inference could produce incorrect results under specific nesting conditions
- Runtime: Addressed a goroutine scheduling issue that could cause excessive latency on systems with many CPU cores under certain GC pressure patterns
- Linker: Resolved a symbol resolution issue affecting plugins compiled with older versions of Go
The team advises all users running Go 1.26.x to upgrade, especially those running production services that accept external network input.
How to Upgrade
Download the latest binaries from go.dev/dl, or use your system package manager. If you're using goenv or similar version managers:
goenv install 1.26.4
goenv global 1.26.4
Verify your installation with go version, which should return go1.26.4.