x/vulndb: suggestion regarding GO-2026-4923

[ahrtr]

Report ID

GO-2026-4923

Suggestion/Comment

It's an invalid CVE. I suggest to mark this CVE as invalid.

As I mentioned in #4923 (comment), I (as a bbolt maintainer) wouldn't treat it as a vulnerability as it would never happen in a production environment.

[mx-psi]

@nicholashusin @ethanalee-work Would you be able to help with this? (Pinging you since you reviewed the patch that added this CVE)

Both a maintainer (OP) and the original submitter (#4923 (comment)) agree that this is invalid

[gopherbot]

Change https://go.dev/cl/764060 mentions this issue: cmd/cve: skip updates for rejected records

[gopherbot]

Change https://go.dev/cl/764061 mentions this issue: data/reports: withdraw GO-2026-4923

[nicholashusin]

Hey folks, thanks for bringing this to our attention, and apologies for the false positive!

As gopherbot has posted, the reports have been withdrawn. I've also rejected CVE-2026-33817 just now (it might take some propagation delay for the new status to be reflected in GHSA and other downstream systems).
Closing this now, but feel free to reopen if something else comes up.