v0.18.2 binaries are compiled with Go 1.25.6, which is missing the fix for CVE-2025-68121 (Critical, CVSS 10). Go 1.25.7 was released and includes the fix.
Some binaries in v0.18.2 also appear to be compiled with Go 1.25.0, missing fixes for 5 additional stdlib CVEs:
Affected binaries: config-manager, gpu-feature-discovery, mps-control-daemon, nvidia-device-plugin
Scan details: Trivy v0.52.2 against nvcr.io/nvidia/k8s-device-plugin:v0.18.2
Note: Go was already bumped to 1.26.0 on main in 504c510 (Feb 18, 2026), which would resolve all of these CVEs. However, no release has been cut since v0.18.2 (Jan 23), and this commit has not been backported to the release-0.18 branch.
Request: Could this Go version bump be backported to release-0.18 and a v0.18.3 patch release cut? This would unblock deployments blocked by scanner findings on these Go stdlib CVEs.
v0.18.2 binaries are compiled with Go 1.25.6, which is missing the fix for CVE-2025-68121 (Critical, CVSS 10). Go 1.25.7 was released and includes the fix.
Some binaries in v0.18.2 also appear to be compiled with Go 1.25.0, missing fixes for 5 additional stdlib CVEs:
Affected binaries:
config-manager,gpu-feature-discovery,mps-control-daemon,nvidia-device-pluginScan details: Trivy v0.52.2 against
nvcr.io/nvidia/k8s-device-plugin:v0.18.2Note: Go was already bumped to 1.26.0 on
mainin 504c510 (Feb 18, 2026), which would resolve all of these CVEs. However, no release has been cut since v0.18.2 (Jan 23), and this commit has not been backported to therelease-0.18branch.Request: Could this Go version bump be backported to
release-0.18and a v0.18.3 patch release cut? This would unblock deployments blocked by scanner findings on these Go stdlib CVEs.