Go 1.27 rc1 and 1.26.4 ship security fixes

Google released Go 1.27 rc1 and Go 1.26.4 with security fixes and telemetry guidance.

Google released Go 1.27 release candidate 1 on Jun. 18, 2026, then followed with Go 1.26.4 and Go 1.25.11 on Jun. 2. The RC asks developers to test production loads and unit tests, while the point releases patch security issues across MIME parsing, textproto errors, x509 hostname checks, x/net, x/crypto, and x/sys.

What changed

Go 1.27 rc1 is available through the usual download path and via go install golang.org/dl/go1.27rc1@latest followed by go1.27rc1 download. The team also points developers to draft release notes for the new branch and asks anyone testing it to file issues through the Go tracker.

In the same update cycle, Google shipped maintenance releases for older branches. Go 1.26.4 and Go 1.25.11 include three security fixes in the core toolchain, and the broader ecosystem saw new tagged releases in golang.org/x/sys, golang.org/x/net, and golang.org/x/crypto.

• MIME header decoding now avoids quadratic CPU use on malformed input.
• net/textproto no longer injects raw attacker-controlled text into error output.
• crypto/x509 now splits candidate hostnames once, reducing hostname-check cost.
• x/net fixes HTML parsing bugs, XSS cases, and an idna privilege issue.
• x/crypto patches SSH panics, constraint handling, and a memory leak path.

Go’s telemetry push is also part of this release cycle. The team says opt-in telemetry stays open and anonymous, and that data from tools such as gopls has already informed earlier fixes and tuning.

Why it matters

For developers, this is less about new language features than about safer upgrades and faster validation. If your services parse MIME, verify certificates, or expose SSH flows, the patched packages close off denial-of-service, injection, and authorization bugs that could surface in production even before a full release lands.

For the ecosystem, the release candidate invites real-world testing before Go 1.27 finalizes. That matters because Go’s security fixes often land first in x/* modules and then shape how teams pin dependencies, update CI, and decide when to move off older minor versions.

The short version: Go’s June update wave is a reminder to test the RC now, patch the point releases where needed, and decide whether to opt into telemetry before the next round of release decisions is made.