CVE-2025-61726

Golang

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-61726 addresses a vulnerability found in Go 1.25.6 and Go 1.24.12, specifically within the `crypto/tls` package. The issue arises because the `Config.Clone` method, when used on a `Config` object already passed to a TLS function, allows for its mutation and reuse. This can lead to problems if `Config.SessionTicketKey` has not been explicitly set or `Config.SetSessionTicketKeys` has not been called, as `crypto/tls` will then generate random session ticket keys. The vulnerability is further compounded by the fact that session resumption does not properly account for the expiration of the full certificate chain. This combination of factors allows for potential misuse of TLS configurations.

Description
-

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

30

  1. Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration

    @oss_security

    16 Jan 2026

    917 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  2. πŸ₯³ Go 1.26 Release Candidate 2 is released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸƒβ€β™€οΈ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  3. 🎊 Go 1.25.6 and 1.24.12 are released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸ“£ Announcement: https://t.co/seVA1REoeH πŸ“¦ Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

  4. A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.β€‹β€Œβ£β€Œβ£β€Œβ€Œβ€Œβ€Œβ€Œβ£β£β€Œβ€Œβ€Œβ€Œβ£β€Œβ£β£

    @_mattata

    13 Jan 2026

    327 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.