chore(deps): update module golang.org/x/sys to v0.44.0 [security]

[redhat-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
golang.org/x/sys	indirect	minor	v0.43.0 → v0.44.0

---

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

CVE-2026-39824 / GO-2026-5024

More information

Details

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

Severity

Unknown

References

• https://go.dev/issue/78916
• https://go.dev/cl/770080
• https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign oshoval for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request updates the golang.org/x/sys dependency to v0.44.0 and introduces several enhancements, including Windows ARM64 CPU feature detection and a new CPUSetDynamic type for Linux to support CPU affinity masks larger than 1024 bits. It also adds various Windows networking syscalls and improves Utime handling across several Linux architectures. Review feedback identified a critical bug in SetMemPolicyDynamic where the mask size is incorrectly passed in bytes rather than bits, and recommended adding input validation to NewCPUSet to prevent potential panics from negative input values.

[gemini-code-assist]

The set_mempolicy syscall expects the number of bits (maxnode) as its third argument, but mask.size() returns the size in bytes. This will cause the kernel to only consider a fraction of the intended nodes (e.g., only the first 128 nodes if 1024 were intended on a 64-bit system). It should be updated to pass the number of bits.

Suggested change

	func SetMemPolicyDynamic(mode int, mask CPUSetDynamic) error {
	return setMemPolicy(mode, mask.pointer(), mask.size())
	}
	func SetMemPolicyDynamic(mode int, mask CPUSetDynamic) error {
	return setMemPolicy(mode, mask.pointer(), uintptr(len(mask))*_NCPUBITS)
	}

[gemini-code-assist]

The NewCPUSet function does not validate that maxCPU is non-negative. If a large negative value is passed (e.g., less than -63 when _NCPUBITS is 64), the numMasks calculation can result in a negative integer, leading to a panic when make is called. Adding a check for negative input would make the function more robust.

func NewCPUSet(maxCPU int) CPUSetDynamic {
	if maxCPU < 0 {
		maxCPU = 0
	}
	numMasks := (maxCPU + _NCPUBITS - 1) / _NCPUBITS
	if numMasks == 0 {
		numMasks = 1
	}
	return make(CPUSetDynamic, numMasks)
}