Dolt currently pins the Go toolchain to 1.25.6 (see go/go.mod, proto/MODULE.bazel, and go/utils/devbuild/build.sh). The Go team has since released 1.25.7, 1.25.8, and 1.25.9. The 1.25.9 release includes fixes for two cmd/compile vulnerabilities disclosed on 2026-04-07:
- CVE-2026-27143 (GO-2026-4868, CVSS 9.8): induction-variable underflow/overflow checks in the compiler are incorrect, allowing
invalid indexing and potential memory corruption in generated code.
- CVE-2026-27144 (GO-2026-4867): pointers are not correctly unwrapped in memory-move operations, producing faulty
non-overlapping-move detection.
Dolt currently pins the Go toolchain to 1.25.6 (see go/go.mod, proto/MODULE.bazel, and go/utils/devbuild/build.sh). The Go team has since released 1.25.7, 1.25.8, and 1.25.9. The 1.25.9 release includes fixes for two cmd/compile vulnerabilities disclosed on 2026-04-07:
invalid indexing and potential memory corruption in generated code.
non-overlapping-move detection.