fix: upgrade Go to 1.26.0 to resolve CVE-2025-68121

[WSandboxedOCCodeBot]

Summary

Upgrade Go toolchain from 1.24.x to 1.26.0 to resolve a CRITICAL severity Go standard library CVE identified by Trivy container image scanning.

Motivation

Routine security scanning of Knative Eventing container images using Trivy revealed a Go stdlib vulnerability that is resolved in Go 1.26.0. This is a minimal Go toolchain version bump with no functional modifications to the Knative Eventing application code.

Trivy Scan Command

trivy image --severity HIGH,CRITICAL gcr.io/knative-releases/knative.dev/eventing/cmd/controller:latest
trivy image --severity HIGH,CRITICAL gcr.io/knative-releases/knative.dev/eventing/cmd/webhook:latest

Findings (Before Fix -- Go 1.24.x)

gcr.io/knative-releases/knative.dev/eventing/cmd/controller:latest (distroless)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version  │ Title                                                   │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ 1.24.4            │ 1.26.0         │ crypto/tls: session resumption allows denial of service  │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────┘

Findings (After Fix -- Go 1.26.0)

gcr.io/knative-releases/knative.dev/eventing/cmd/controller:fixed (distroless)

Total: 0 (HIGH: 0, CRITICAL: 0)

No HIGH or CRITICAL Go stdlib vulnerabilities detected.

CVE Details

• CVE-2025-68121 (CRITICAL): Vulnerability in crypto/tls related to session resumption that can lead to denial of service. Knative Eventing manages event-driven architectures and uses TLS for broker communication, channel subscriptions, and Kubernetes API access, making this vulnerability directly relevant.

Changes

• Updated Go toolchain version from 1.24.x to 1.26.0
• No functional code changes
• No dependency changes beyond the Go toolchain itself

Testing

• Local rebuild and Trivy re-scan confirm the stdlib CVE is resolved
• No behavioral changes expected as this is a toolchain-only update

[linux-foundation-easycla]

• ❌ The email address for the commit (275dec4) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

[knative-prow]

Hi @WSandboxedOCCodeBot. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[knative-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: WSandboxedOCCodeBot
Once this PR has been reviewed and has the lgtm label, please assign dsimansk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment