database/sql: incorrect results returned from Rows.Scan (CVE-2025-47907)

[rolandshoemaker]

Cancelling a query (e.g. by cancelling the context passed to one of the query
methods) during a call to the Scan method of the returned Rows can result in
unexpected results if other queries are being made in parallel. This can result
in a race condition that may overwrite the expected results with those of
another query, causing the call to Scan to return either unexpected results
from the other query or an error.

We believe this affects most database/sql drivers.

Thanks to Spike Curtis from Coder for reporting this issue.

This is CVE-2025-47907 and https://go.dev/issue/74831.

---

This is a PRIVATE issue for CVE-2025-47907, tracked in http://b/428194174.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #74832 (for 1.23), #74833 (for 1.24), #74834 for (1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[rolandshoemaker]

@gopherbot open a backport issue for Go 1.25.

[gopherbot]

Change https://go.dev/cl/693616 mentions this issue: [release-branch.go1.24] database/sql: avoid closing Rows while scan is in progress

[gopherbot]

Change https://go.dev/cl/693559 mentions this issue: [release-branch.go1.25] database/sql: avoid closing Rows while scan is in progress

[gopherbot]

Change https://go.dev/cl/693558 mentions this issue: [release-branch.go1.23] database/sql: avoid closing Rows while scan is in progress