RepoJournal
Go

@golang

Go and the standard library — backend infrastructure at scale

Pick a date

  1. Fri 1 may
  2. Sat 2 may
  3. Sun 3 may
  4. Tue 5 may
  5. Wed 6 may
  6. Thu 7 may
  7. Fri 8 may
  8. Sat 9 may
  9. Sun 10 may
  10. Mon 11 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Fri 15 may
  15. Sat 16 may
  16. Sun 17 may
  17. Mon 18 may
  18. Tue 19 may
  19. Wed 20 may
  20. Thu 21 may
  21. Sat 23 may
  22. Tue 26 may
  23. Wed 27 may
  24. Thu 28 may
  25. Fri 29 may
  26. Sat 30 may
  27. Sun 31 may
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

SSH MALICIOUS SERVER CRASH, CORRUPT DATA MEMORY BOMBS PLUGGED ACROSS STDLIB

By RepoJournal · Filed · About Go

A single malformed packet from an SSH server crashes any Go client outright, while three separate stdlib bugs silently consume unbounded memory on corrupt input.

The SSH vulnerability [1] is the immediate threat: an attacker controlling the remote server can send a truncated exit-status payload that panics binary.BigEndian.Uint32, dropping your connection mid-flight with zero warning. This patches today.

Three memory bombs landed in quick succession across debug/dwarf, encoding/gob, and crypto internals. The debug/dwarf fix [2] stops endless loops when parsing corrupt DWARF data from invalid binaries, while encoding/gob now caps map allocation [5] to prevent adversarial input from consuming all available heap. Both rely on fuzzer findings rather than test cases, so expect more surface area to harden as real-world crashes bubble up.

On the compiler side, a critical bounds-check regression slipped into 1.24 [3]. The fix for zero-sized arrays was incomplete and missed nested types, meaning some index operations never got safety checks inserted. This one is subtle enough that it might ship in production before anyone notices.

Two smaller fixes round out the batch: cmd/go now properly returns non-zero exit status when tools are interrupted by signals [4] instead of pretending they succeeded, and the GC memory limit test on Darwin got loosened again because apparently the last two attempts weren't quite enough.

Action items

References

  1. [1] ssh: prevent malformed exit-status panic golang/crypto
  2. [2] debug/dwarf: report underflow error on failure to read a varint golang/go
  3. [3] cmd/compile: ensure evaluating array index expression golang/go
  4. [4] cmd/go: return non-zero when go tool is interrupted golang/go
  5. [5] encoding/gob: cap map size when decoding golang/go

FAQ

What changed in Go on May 26, 2026?
A single malformed packet from an SSH server crashes any Go client outright, while three separate stdlib bugs silently consume unbounded memory on corrupt input.
What should Go teams do about it?
Patch golang/crypto immediately if you use ssh package • Upgrade to latest Go patch release before next deploy • Monitor for DWARF/gob crashes in production fuzzing pipelines
Which Go repositories shipped on May 26, 2026?
golang/crypto, golang/go

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.