Google Git
Sign in
go/website/76c3d4ea151c4d927cab760d7db1112affee9c72^!/.
commit
76c3d4ea151c4d927cab760d7db1112affee9c72
[log]
author
Cherry Mui <cherryyz@google.com>
Thu Jan 08 14:29:27 2026 -0500
committer
Cherry Mui <cherryyz@google.com>
Thu Jan 08 13:15:03 2026 -0800
tree
53b0119c0ce44c52515d335a29f2f1cc7423a367
parent
c97685a94022a2e826f644e1f62e9976d5d62544 [diff]
_content/doc/go1.26: document heap address randomization

Change-Id: I7e7bad222e5d1a80a1ecaf7b30e8608d5abc9ba1
Reviewed-on: https://go-review.googlesource.com/c/website/+/734900
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/_content/doc/go1.26.md b/_content/doc/go1.26.md
index 7de902e..7b0e250 100644
--- a/_content/doc/go1.26.md
+++ b/_content/doc/go1.26.md

@@ -202,6 +202,18 @@
 
 We aim to enable goroutine leak profiles by default in Go 1.27.
 
+### Heap base address randomization
+
+<!-- CL 674835 -->
+
+On 64-bit platforms, the runtime now randomizes the heap base address
+at startup.
+This is a security enhancement that makes it harder for attackers to
+predict memory addresses and exploit vulnerabilities when using cgo.
+This feature may be disabled by setting
+`GOEXPERIMENT=norandomizedheapbase64` at build time.
+This opt-out setting is expected to be removed in a future Go release.
+
 ## Compiler {#compiler}
 
 <!-- CLs 707755, 722440 -->