go, branch go1.26rc2

[release-branch.go1.26] go1.26rc2

2026-01-15T18:32:04Z

Change-Id: If5ce85a68010848f16c4c2509e18466ed1356912 Reviewed-on: https://go-review.googlesource.com/c/go/+/736763 TryBot-Bypass: Gopher Robot Reviewed-by: Michael Pratt Reviewed-by: Junyang Shao Auto-Submit: Gopher Robot

[release-branch.go1.26] archive/zip: reduce CPU usage in index construction

2026-01-15T18:14:42Z

Constructing the zip index (which is done once when first opening a file in an archive) can consume large amounts of CPU when processing deeply-nested directory paths. Switch to a less inefficient algorithm. Thanks to Jakub Ciolek for reporting this issue. goos: darwin goarch: arm64 pkg: archive/zip cpu: Apple M4 Pro │ /tmp/bench.0 │ /tmp/bench.1 │ │ sec/op │ sec/op vs base │ ReaderOneDeepDir-14 25983.62m ± 2% 46.01m ± 2% -99.82% (p=0.000 n=8) ReaderManyDeepDirs-14 16.221 ± 1% 2.763 ± 6% -82.96% (p=0.000 n=8) ReaderManyShallowFiles-14 130.3m ± 1% 128.8m ± 2% -1.20% (p=0.003 n=8) geomean 3.801 253.9m -93.32% Fixes #77102 Fixes CVE-2025-61728 Change-Id: I2c9c864be01b2a2769eb67fbab1b250aeb8f6c42 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3060 Reviewed-by: Nicholas Husin Reviewed-by: Neal Patel Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3346 Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/736708 Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt Reviewed-by: Junyang Shao

[release-branch.go1.26] net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters

2026-01-15T18:14:39Z

net/url does not currently limit the number of query parameters parsed by url.ParseQuery or URL.Query. When parsing a application/x-www-form-urlencoded form, net/http.Request.ParseForm will parse up to 10 MB of query parameters. An input consisting of a large number of small, unique parameters can cause excessive memory consumption. We now limit the number of query parameters parsed to 10000 by default. The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=. Setting urlmaxqueryparams to 0 disables the limit. Thanks to jub0bs for reporting this issue. Fixes #77101 Fixes CVE-2025-61726 Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020 Reviewed-by: Nicholas Husin Reviewed-by: Neal Patel Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3345 Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/736707 Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt Reviewed-by: Junyang Shao

[release-branch.go1.26] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

2026-01-15T18:14:36Z

The addition of CgoPkgConfig allowed execution with flags not matching the safelist. In order to prevent potential arbitrary code execution at build time, ensure that flags are validated prior to invoking the 'pkg-config' binary. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Fixes CVE-2025-61731 Fixes #77100 Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 Reviewed-by: Nicholas Husin Reviewed-by: Damien Neil Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3324 Reviewed-by: Neal Patel Reviewed-on: https://go-review.googlesource.com/c/go/+/736706 Auto-Submit: Michael Pratt Reviewed-by: Junyang Shao TryBot-Bypass: Michael Pratt

[release-branch.go1.26] cmd/go: update VCS commands to use safer flag/argument syntax

2026-01-15T18:14:32Z

In various situations, the toolchain invokes VCS commands. Some of these commands take arbitrary input, either provided by users or fetched from external sources. To prevent potential command injection vulnerabilities or misinterpretation of arguments as flags, this change updates the VCS commands to use various techniques to separate flags from positional arguments, and to directly associate flags with their values. Additionally, we update the environment variable for Mercurial to use `HGPLAIN=+strictflags`, which is the more explicit way to disable user configurations (intended or otherwise) that might interfere with command execution. We also now disallow version strings from being prefixed with '-' or '/', as doing so opens us up to making the same mistake again in the future. As far as we know there are currently ~0 public modules affected by this. While I was working on cmd/go/internal/vcs, I also noticed that a significant portion of the commands being implemented were dead code. In order to reduce the maintenance burden and surface area for potential issues, I removed the dead code for unused commands. We should probably follow up with a more structured change to make it harder to accidentally re-introduce these issues in the future, but for now this addresses the issue at hand. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. Fixes CVE-2025-68119 Fixes #77099 Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3341 Reviewed-by: Neal Patel Reviewed-on: https://go-review.googlesource.com/c/go/+/736705 Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt Reviewed-by: Junyang Shao

[release-branch.go1.26] crypto/tls: don't copy auto-rotated session ticket keys in Config.Clone

2026-01-15T18:14:29Z

Once a tls.Config is used, it is not safe to mutate. We provide the Clone method in order to allow users to copy and modify a Config that is in use. If Config.SessionTicketKey is not populated, and if Config.SetSessionTicketKeys has not been called, we automatically populate and rotate session ticket keys. Clone was previously copying these keys into the new Config, meaning that two Configs could share the same auto-rotated session ticket keys. This could allow sessions to be resumed across different Configs, which may have completely different configurations. This change updates Clone to not copy the auto-rotated session ticket keys. Additionally, when resuming a session, check that not just that the leaf certificate is unexpired, but that the entire certificate chain is still unexpired. Fixes #77113 Fixes CVE-2025-68121 Change-Id: I011df7329de83068d11b3f0c793763692d018a98 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3300 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3340 Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/736704 TryBot-Bypass: Michael Pratt Reviewed-by: Junyang Shao Auto-Submit: Michael Pratt

[release-branch.go1.26] all: merge master (6b2505c) into release-branch.go1.26

2026-01-08T18:14:02Z

Merge List: + 2026-01-08 6b2505c79c cmd/go: remove user-content from doc strings in cgo ASTs. + 2026-01-08 4b89bcb8b7 lib/fips140: freeze v1.26.0 FIPS 140-3 module + 2026-01-08 8ac4477d83 simd/archsimd: rename Broadcast methods + 2026-01-08 5facb3b24b internal/types: add test for cycles in value context + 2026-01-07 28147b5283 cmd/go: guarantee a minimum of min(4,GOMAXPROCS) to compile -c + 2026-01-07 874d8b98eb cmd/go/internal/work: decrement concurrentProcesses when action finishes + 2026-01-07 d1e7f49e3d internal/trace: fix recorder.Write return value for header-only buffers Change-Id: I863375a1ac0f641b0b02968acf01a602b7d7f2a1

cmd/go: remove user-content from doc strings in cgo ASTs.

2026-01-08T17:58:59Z

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Updates golang/go#76697 Fixes CVE-2025-61732 Change-Id: I1121502f1bf1e91309eb4bd41cc3a09c39366d36 Reviewed-on: https://go-review.googlesource.com/c/go/+/734220 Reviewed-by: Agustin Hernandez Reviewed-by: David Chase Reviewed-by: Robert Griesemer LUCI-TryBot-Result: Go LUCI

lib/fips140: freeze v1.26.0 FIPS 140-3 module

2026-01-08T17:58:32Z

Fixes #76770 Change-Id: Ia617f01ea9be0d1759147b6cca0403c56a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/731840 Reviewed-by: Roland Shoemaker LUCI-TryBot-Result: Go LUCI Auto-Submit: Filippo Valsorda Reviewed-by: Junyang Shao

simd/archsimd: rename Broadcast methods

2026-01-08T17:44:00Z

Currently the Broadcast128/256/512 methods broadcast the lowest element of the input vector to a vector of the corresponding width. There are also variations of broadcast operations that broadcast the whole (128- or 256-bit) vector to a larger vector, which we don't yet support. Our current naming is unclear which version it is, though. Rename the current ones to Broadcast1ToN, to be clear that they broadcast one element. The vector version probably will be named BoradcastAllToN (not included in this CL). Change-Id: I47a21e367f948ec0b578d63706a40d20f5a9f46d Reviewed-on: https://go-review.googlesource.com/c/go/+/734840 LUCI-TryBot-Result: Go LUCI Reviewed-by: Junyang Shao