"We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1. These minor releases include PRIVATE security fixes to the standard library."
"These minor releases include 1 security fixes following the security policy <https://go.dev/security>: - syscall, os/exec: unsanitized NUL in environment variables On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this +behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284." Only Windows.