"We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1.
These minor releases include PRIVATE security fixes to the standard library."
"These minor releases include 1 security fixes following the security policy <https://go.dev/security>:
- syscall, os/exec: unsanitized NUL in environment variables
On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this
+behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This is CVE-2022-41716 and Go issue https://go.dev/issue/56284."