[GH-ISSUE #14233] Released binaries have High severity CVEs due to Go version 1.24.1 #35027

New Issue

GiteaMirror · 2026-04-22T19:08:38-05:00

GiteaMirror commented

2026-04-22 19:08:38 -05:00

Originally created by @chelis on GitHub (Feb 13, 2026).
Original GitHub issue: https://github.com/ollama/ollama/issues/14233

What is the issue?

Scanning linux binary with govulncheck yields a big list of CVEs. In particular this one has been raised to level 10 - critical

Vulnerability #5: GO-2026-4337
    Unexpected session resumption in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4337
  Standard library
    Found in: crypto/tls@go1.24.1
    Fixed in: crypto/tls@go1.24.13
    Vulnerable symbols found:
      #1: tls.Conn.Handshake
      #2: tls.Conn.Handshake
      #3: tls.Conn.Handshake
      #4: tls.Conn.HandshakeContext
      #5: tls.Conn.HandshakeContext
      Use '-show traces' to see the other 22 found symbols

Upgrading to 1.24.13 would fix the issue, however as 1.24 line is now out of support (1.26 has just been released). I would recommend either

upgrading to 1.25.7 (previous 1.25 versions are also affected)
Upgrade to Go 1.26.0 which came out a few days ago.

Based on this code in the Dockerfile, it would seem that updating the version in the go.mod would fix the issue.

Relevant log output

+ govulncheck -mode=binary bin/ollama
=== Symbol Results ===

Vulnerability #1: GO-2026-4403
    Improper access to parent directory of root in os
  More info: https://pkg.go.dev/vuln/GO-2026-4403
  Standard library
    Found in: os@go1.24.1
    Fixed in: os@go1.24.3
    Vulnerable symbols found:
      #1: os.checkPathEscapesInternal
      #2: os.doInRoot
      #3: os.splitPathInRoot

Vulnerability #2: GO-2026-4342
    Excessive CPU consumption when building archive index in archive/zip
  More info: https://pkg.go.dev/vuln/GO-2026-4342
  Standard library
    Found in: archive/zip@go1.24.1
    Fixed in: archive/zip@go1.24.12
    Vulnerable symbols found:
      #1: zip.Reader.Open

Vulnerability #3: GO-2026-4341
    Memory exhaustion in query parameter parsing in net/url
  More info: https://pkg.go.dev/vuln/GO-2026-4341
  Standard library
    Found in: net/url@go1.24.1
    Fixed in: net/url@go1.24.12
    Vulnerable symbols found:
      #1: url.ParseQuery
      #2: url.URL.Query

Vulnerability #4: GO-2026-4340
    Handshake messages may be processed at the incorrect encryption level in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4340
  Standard library
    Found in: crypto/tls@go1.24.1
    Fixed in: crypto/tls@go1.24.12
    Vulnerable symbols found:
      #1: tls.Conn.Handshake
      #2: tls.Conn.Handshake
      #3: tls.Conn.Handshake
      #4: tls.Conn.HandshakeContext
      #5: tls.Conn.HandshakeContext
      Use '-show traces' to see the other 23 found symbols

Vulnerability #5: GO-2026-4337
    Unexpected session resumption in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4337
  Standard library
    Found in: crypto/tls@go1.24.1
    Fixed in: crypto/tls@go1.24.13
    Vulnerable symbols found:
      #1: tls.Conn.Handshake
      #2: tls.Conn.Handshake
      #3: tls.Conn.Handshake
      #4: tls.Conn.HandshakeContext
      #5: tls.Conn.HandshakeContext
      Use '-show traces' to see the other 22 found symbols

OS

Linux

GPU

Other

CPU

No response

Ollama version

0.15.6

Originally created by @chelis on GitHub (Feb 13, 2026). Original GitHub issue: https://github.com/ollama/ollama/issues/14233 ### What is the issue? Scanning linux binary with govulncheck yields a big list of CVEs. In particular this one has been raised to level [10 - critical](https://nvd.nist.gov/vuln/detail/cve-2025-68121) ``` Vulnerability #5: GO-2026-4337 Unexpected session resumption in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4337 Standard library Found in: crypto/tls@go1.24.1 Fixed in: crypto/tls@go1.24.13 Vulnerable symbols found: #1: tls.Conn.Handshake #2: tls.Conn.Handshake #3: tls.Conn.Handshake #4: tls.Conn.HandshakeContext #5: tls.Conn.HandshakeContext Use '-show traces' to see the other 22 found symbols ``` Upgrading to 1.24.13 would fix the issue, however as 1.24 line is now out of support (1.26 has just been released). I would recommend either * upgrading to 1.25.7 (previous 1.25 versions are also affected) * Upgrade to Go 1.26.0 which came out a few days ago. Based on [this code](https://github.com/ollama/ollama/blob/main/Dockerfile#L153C5-L153C74) in the Dockerfile, it would seem that updating the version in the go.mod would fix the issue. ### Relevant log output ```shell + govulncheck -mode=binary bin/ollama === Symbol Results === Vulnerability #1: GO-2026-4403 Improper access to parent directory of root in os More info: https://pkg.go.dev/vuln/GO-2026-4403 Standard library Found in: os@go1.24.1 Fixed in: os@go1.24.3 Vulnerable symbols found: #1: os.checkPathEscapesInternal #2: os.doInRoot #3: os.splitPathInRoot Vulnerability #2: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: archive/zip@go1.24.1 Fixed in: archive/zip@go1.24.12 Vulnerable symbols found: #1: zip.Reader.Open Vulnerability #3: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.24.1 Fixed in: net/url@go1.24.12 Vulnerable symbols found: #1: url.ParseQuery #2: url.URL.Query Vulnerability #4: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.24.1 Fixed in: crypto/tls@go1.24.12 Vulnerable symbols found: #1: tls.Conn.Handshake #2: tls.Conn.Handshake #3: tls.Conn.Handshake #4: tls.Conn.HandshakeContext #5: tls.Conn.HandshakeContext Use '-show traces' to see the other 23 found symbols Vulnerability #5: GO-2026-4337 Unexpected session resumption in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4337 Standard library Found in: crypto/tls@go1.24.1 Fixed in: crypto/tls@go1.24.13 Vulnerable symbols found: #1: tls.Conn.Handshake #2: tls.Conn.Handshake #3: tls.Conn.Handshake #4: tls.Conn.HandshakeContext #5: tls.Conn.HandshakeContext Use '-show traces' to see the other 22 found symbols ``` ### OS Linux ### GPU Other ### CPU _No response_ ### Ollama version 0.15.6

GiteaMirror added the bug label 2026-04-22 19:08:38 -05:00

Sign in to join this conversation.

Branches Tags

main

dhiltgen/ci

dhiltgen/llama-runner

parth-launch-codex-app

hoyyeva/anthropic-local-image-path

hoyyeva/anthropic-reference-images-path

parth-anthropic-reference-images-path

brucemacd/download-before-remove

hoyyeva/editor-config-repair

parth-mlx-decode-checkpoints

hoyyeva/fix-codex-model-metadata-warning

hoyyeva/qwen

parth/hide-claude-desktop-till-release

hoyyeva/opencode-image-modality

parth-add-claude-code-autoinstall

release_v0.22.0

pdevine/manifest-list

codex/fix-codex-model-metadata-warning

pdevine/addressable-manifest

brucemacd/launch-fetch-reccomended

jmorganca/llama-compat

launch-copilot-cli

hoyyeva/opencode-thinking

release_v0.20.7

parth-auto-save-backup

parth-test

jmorganca/gemma4-audio-replacements

fix-manifest-digest-on-pull

hoyyeva/vscode-improve

brucemacd/install-server-wait

parth/update-claude-docs

brucemac/start-ap-install

pdevine/mlx-update

pdevine/qwen35_vision

drifkin/api-show-fallback

mintlify/image-generation-1773352582

hoyyeva/server-context-length-local-config

jmorganca/faster-reptition-penalties

jmorganca/convert-nemotron

parth-pi-thinking

pdevine/sampling-penalties

jmorganca/fix-create-quantization-memory

dongchen/resumable_transfer_fix

pdevine/sampling-cache-error

jessegross/mlx-usage

hoyyeva/openclaw-config

hoyyeva/app-html

pdevine/qwen3next

brucemacd/sign-sh-install

brucemacd/tui-update

brucemacd/usage-api

jmorganca/launch-empty

fix-app-dist-embed

mxyng/mlx-compile

mxyng/mlx-quant

mxyng/mlx-glm4.7

mxyng/mlx

brucemacd/simplify-model-picker

jmorganca/qwen3-concurrent

fix-glm-4.7-flash-mla-config

drifkin/qwen3-coder-opening-tag

brucemacd/usage-cli

fix-cuda12-fattn-shmem

ollama-imagegen-docs

parth/fix-multiline-inputs

brucemacd/config-docs

mxyng/model-files

mxyng/simple-execute

fix-imagegen-ollama-models

mxyng/async-upload

jmorganca/lazy-no-dtype-changes

imagegen-auto-detect-create

parth/decrease-concurrent-download-hf

fix-mlx-quantize-init

jmorganca/x-cleanup

usage

imagegen-readme

jmorganca/glm-image

mlx-gpu-cd

jmorganca/imagegen-modelfile

parth/agent-skills

parth/agent-allowlist

parth/signed-in-offline

parth/agents

parth/fix-context-chopping

improve-cloud-flow

parth/add-models-websearch

parth/prompt-renderer-mcp

jmorganca/native-settings

jmorganca/download-stream-hash

jmorganca/client2-rebased

brucemacd/oai-chat-req-multipart

jessegross/multi_chunk_reserve

grace/additional-omit-empty

grace/mistral-3-large

mxyng/tokenizer2

mxyng/tokenizer

jessegross/flash

hoyyeva/windows-nacked-app

mxyng/cleanup-attention

grace/deepseek-parser

hoyyeva/remember-unsent-prompt

parth/add-lfs-pointer-error-conversion

parth/olmo2-test2

hoyyeva/ollama-launchagent-plist

nicole/olmo-model

parth/olmo-test

mxyng/remove-embedded

parth/render-template

jmorganca/intellect-3

parth/remove-prealloc-linter

jmorganca/cmd-eval

nicole/nomic-embed-text-fix

mxyng/lint-2

hoyyeva/add-gemini-3-pro-preview

hoyyeva/load-model-list

mxyng/expand-path

mxyng/environ-2

hoyyeva/deeplink-json-encoding

parth/improve-tool-calling-tests

hoyyeva/conversation

hoyyeva/assistant-edit-response

hoyyeva/thinking

origin/brucemacd/invalid-char-i-err

parth/improve-tool-calling

jmorganca/required-omitempty

grace/qwen3-vl-tests

mxyng/iter-client

parth/docs-readme

nicole/embed-test

pdevine/integration-benchstat

parth/remove-generate-cmd

parth/add-toolcall-id

mxyng/server-tests

jmorganca/glm-4.6

jmorganca/gin-h-compat

drifkin/stable-tool-args

pdevine/qwen3-more-thinking

parth/add-websearch-client

nicole/websearch_local

jmorganca/qwen3-coder-updates

grace/deepseek-v3-migration-tests

mxyng/fix-create

jmorganca/cloud-errors

pdevine/parser-tidy

revert-12233-parth/simplify-entrypoints-runner

parth/enable-so-gpt-oss

brucemacd/qwen3vl

jmorganca/readme-simplify

parth/gpt-oss-structured-outputs

revert-12039-jmorganca/tools-braces

mxyng/embeddings

mxyng/gguf

mxyng/benchmark

mxyng/types-null

parth/move-parsing

mxyng/gemma2

jmorganca/docs

mxyng/16-bit

mxyng/create-stdin

pdevine/authorizedkeys

mxyng/quant

parth/opt-in-error-context-window

brucemacd/cache-models

brucemacd/runner-completion

jmorganca/llama-update-6

brucemacd/benchmark-list

brucemacd/partial-read-caps

parth/deepseek-r1-tools

mxyng/omit-array

parth/tool-prefix-temp

brucemacd/runner-test

jmorganca/qwen25vl

brucemacd/model-forward-test-ext

parth/python-function-parsing

jmorganca/cuda-compression-none

drifkin/num-parallel

drifkin/chat-truncation-fix

jmorganca/sync

parth/python-tools-calling

drifkin/array-head-count

brucemacd/create-no-loop

parth/server-enable-content-stream-with-tools

qwen25omni

mxyng/v3

brucemacd/ropeconfig

jmorganca/silence-tokenizer

parth/sample-so-test

parth/sampling-structured-outputs

brucemacd/doc-go-engine

parth/constrained-sampling-json

jmorganca/mistral-wip

brucemacd/mistral-small-convert

parth/sample-unmarshal-json-for-params

brucemacd/jomorganca/mistral

pdevine/bfloat16

jmorganca/mistral

brucemacd/mistral

pdevine/logging

parth/sample-correctness-fix

parth/sample-fix-sorting

jmorgan/sample-fix-sorting-extras

jmorganca/temp-0-images

brucemacd/parallel-embed-models

brucemacd/shim-grammar

jmorganca/fix-gguf-error

bmizerany/nameswork

jmorganca/faster-releases

bmizerany/validatenames

brucemacd/err-no-vocab

brucemacd/rope-config

brucemacd/err-hint

brucemacd/qwen2_5

brucemacd/logprobs

brucemacd/new_runner_graph_bench

progress-flicker

brucemacd/forward-test

brucemacd/go_qwen2

pdevine/gemma2

jmorganca/add-missing-symlink-eval

mxyng/next-debug

parth/set-context-size-openai

brucemacd/next-bpe-bench

brucemacd/next-bpe-test

brucemacd/new_runner_e2e

brucemacd/new_runner_qwen2

pdevine/convert-cohere2

brucemacd/convert-cli

parth/log-probs

mxyng/next-mlx

mxyng/cmd-history

parth/templating

parth/tokenize-detokenize

brucemacd/check-key-register

bmizerany/grammar

jmorganca/vendor-081b29bd

mxyng/func-checks

jmorganca/fix-null-format

parth/fix-default-to-warn-json

jmorganca/qwen2vl

jmorganca/no-concat

parth/cmd-cleanup-SO

brucemacd/check-key-register-structured-err

parth/openai-stream-usage

parth/fix-referencing-so

stream-tools-stop

jmorganca/degin-1

brucemacd/install-path-clean

brucemacd/push-name-validation

brucemacd/browser-key-register

jmorganca/openai-fix-first-message

jmorganca/fix-proxy

jessegross/sample

parth/disallow-streaming-tools

dhiltgen/remove_submodule

jmorganca/ga

jmorganca/mllama

pdevine/newlines

pdevine/geems-2b

jmorganca/llama-bump

mxyng/modelname-7

mxyng/gin-slog

mxyng/modelname-6

jyan/convert-prog

jyan/quant5

paligemma-support

pdevine/import-docs

jmorganca/openai-context

jyan/paligemma

jyan/p2

jyan/palitest

bmizerany/embedspeedup

jmorganca/llama-vit

brucemacd/allow-ollama

royh/ep-methods

royh/whisper

mxyng/api-models

mxyng/fix-memory

jyan/q4_4/8

jyan/ollama-v

royh/stream-tools

roy-embed-parallel

bmizerany/hrm

revert-5963-revert-5924-mxyng/llama3.1-rope

royh/embed-viz

jyan/local2

jyan/auth

jyan/local

jyan/parse-temp

jmorganca/template-mistral

jyan/reord-g

royh-openai-suffixdocs

royh-imgembed

royh-embed-parallel

jyan/quant4

royh-precision

jyan/progress

pdevine/fix-template

jyan/quant3

pdevine/ggla

mxyng/update-registry-domain

jmorganca/ggml-static

mxyng/create-context

jyan/v0.146

mxyng/layers-from-files

build_dist

bmizerany/noseek

royh-ls

royh-name

timeout

mxyng/server-timestamp

bmizerany/nosillyggufslurps

royh-params

jmorganca/llama-cpp-7c26775

royh-openai-delete

royh-show-rigid

jmorganca/enable-fa

jmorganca/no-error-template

jyan/format

royh-testdelete

bmizerany/fastverify

language_support

pdevine/ps-glitches

brucemacd/tokenize

bruce/iq-quants

bmizerany/filepathwithcoloninhost

mxyng/split-bin

bmizerany/client-registry

jmorganca/if-none-match

native

jmorganca/native

jmorganca/batch-embeddings

jmorganca/initcmake

jmorganca/mm

pdevine/showggmlinfo

modenameenforcealphanum

bmizerany/modenameenforcealphanum

jmorganca/done-reason

jmorganca/llama-cpp-8960fe8

ollama.com

bmizerany/filepathnobuild

bmizerany/types/model/defaultfix

rmdisplaylong

nogogen

bmizerany/x

modelfile-readme

bmizerany/replacecolon

jmorganca/limit

jmorganca/execstack

jmorganca/replace-assets

mxyng/tune-concurrency

jmorganca/testing

whitespace-detection

jmorganca/options

upgrade-all

scratch

cuda-search

mattw/airenamer

mattw/allmodelsonhuggingface

mattw/quantcontext

mattw/whatneedstorun

brucemacd/llama-mem-calc

mattw/faq-context

mattw/communitylinks

mattw/noprune

mattw/python-functioncalling

rename

mxyng/install

pulse

remove-first

editor

mattw/selfqueryingretrieval

cgo

mattw/howtoquant

api

matt/streamingapi

format-config

mxyng/extra-args

shell

update-nous-hermes

cp-model

upload-progress

fix-unknown-model

fix-model-names

delete-fix

insecure-registry

ls

deletemodels

progressbar

readme-updates

license-layers

skip-list

list-models

modelpath

matt/examplemodelfiles

distribution

go-opts

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/ollama#35027