Go version Bump to 1.26.2

[yashsingh74]

Go Version Bump to 1.26.2

Summary

This PR upgrades the Go version to 1.26.2 across all build systems, CI workflows to incorporate critical security fixes and improvements.

Changes Made

• ✅ Updated go.mod to specify Go 1.26.2
• ✅ Updated GitHub Actions workflows to use Go 1.26.2

Why This Update is Important

Go 1.26.2 was released on April 7, 2026, addressing 10 critical security vulnerabilities. Upgrading ensures our CNI plugins are built with the latest security patches and maintain the highest security standards for container networking.

Security Vulnerabilities Fixed (CVEs)

This update addresses the following critical security issues:

High Priority Security Fixes

• CVE-2026-32282 - os: Root.Chmod symlink vulnerability

  • Impact: On Linux systems, Root.Chmod could follow symlinks outside the root directory if the target was replaced during the operation
  • Fix: Uses fchmodat2 syscall when available for atomic operations

• CVE-2026-32289 - html/template: XSS vulnerability

  • Impact: JavaScript template literal context was not properly tracked across template branches, causing incorrect escaping and potential XSS vulnerabilities
  • Fix: Improved template context tracking and escaping logic

• CVE-2026-33810 - crypto/x509: DNS constraint bypass

  • Impact: Excluded DNS constraints were not properly applied to wildcard domains with different case sensitivity
  • Fix: Proper case-insensitive DNS constraint validation (Go 1.26 specific issue)

Memory Safety Critical Fixes

• CVE-2026-27144 - cmd/compile: Memory safety bypass

  • Impact: Compiler failed to unwrap pointers in no-op interface conversions, leading to incorrect determination of non-overlapping moves and potential memory corruption
  • Fix: Enhanced compiler pointer analysis and type checking

• CVE-2026-27143 - cmd/compile: Bound check elimination flaw

  • Impact: Slices and arrays accessed with induction variables were sometimes incorrectly proved in-bound, allowing memory access beyond bounds if variables overflowed/underflowed
  • Fix: Improved bounds checking analysis in the compiler

Impact on CNI Plugins

This security update is particularly important for CNI plugins because:

1. Network Security: CNI plugins handle critical network configuration and routing, making security paramount
2. Container Runtime Integration: Plugins interact directly with container runtimes and need robust memory safety
3. Privilege Operations: Many CNI plugins operate with elevated privileges, requiring secure coding practices
4. Production Deployments: CNI plugins are deployed in production Kubernetes clusters where security is critical

Compliance & Security

This update helps maintain security compliance and follows best practices for:

• CVE remediation timelines
• Supply chain security
• Container image security scanning
• Production deployment security standards

References

• Go 1.26.2 Release Notes