CVE-2026-39836

Daily digests

Go's `net` package panics when it encounters a NUL byte in Dial or LookupPort calls on Windows. An attacker who can feed crafted input to a Go application's network dialing code can crash the process. This primarily affects Go applications running on Windows, but the Azure Linux packages include Go toolchain and Go-built dependencies like TensorFlow/TensorBoard.

• Daily Digest · May 19, 2026

  Apache Thrift 9.4 RCE + 4 Linux/Go/curl fixes