Double Free Affecting goreleaser package, versions <2.15.4-r2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
0.81% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-GORELEASER-16632714
  • published11 May 2026
  • disclosed7 May 2026

Introduced: 7 May 2026

CVE-2026-33811  (opens in a new tab)
CWE-415  (opens in a new tab)

How to fix?

Upgrade Chainguard goreleaser to version 2.15.4-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream goreleaser package and not the goreleaser package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

CVSS Base Scores

version 3.1