Skip to main content

Go 1.26.4

Release Date: June 2, 2026

Go 1.26.4 has been released — a security-focused point release that patches three vulnerabilities in the standard library and delivers bug fixes to the compiler and runtime.

Security Fixes

The Go team rolled out version 1.26.4 on June 2, 2026, addressing three CVEs:

  • CVE-2026-42504 — A denial-of-service vulnerability in the crypto/x509 package caused by inefficient certificate chain validation. An attacker could craft a certificate chain that triggers excessive CPU consumption.
  • CVE-2026-42507 — A quadratic complexity issue in the mime package's WordDecoder, allowing a small malicious input to cause disproportionately high processing time.
  • CVE-2026-... — A third fix in net/textproto addressing a similar algorithmic complexity issue in header parsing.

These are the kind of vulnerabilities that matter most to production services — they're not about data corruption, but about operational resilience under adversarial inputs.

Bug Fixes and Improvements

Beyond the security patches, Go 1.26.4 includes a collection of bug fixes backported from the development branch:

  • Compiler: Fixed an edge case where generic type inference could produce incorrect results under specific nesting conditions
  • Runtime: Addressed a goroutine scheduling issue that could cause excessive latency on systems with many CPU cores under certain GC pressure patterns
  • Linker: Resolved a symbol resolution issue affecting plugins compiled with older versions of Go

The team advises all users running Go 1.26.x to upgrade, especially those running production services that accept external network input.

How to Upgrade

Download the latest binaries from go.dev/dl, or use your system package manager. If you're using goenv or similar version managers:

goenv install 1.26.4
goenv global 1.26.4

Verify your installation with go version, which should return go1.26.4.

What is New?

By continuing to use the site, you agree to the use of cookies.