Go 1.26.5 and 1.25.12 landed simultaneously, each carrying security fixes to crypto/tls and os alongside routine bug fixes to the compiler, runtime, go command, and net/syscall packages. The two releases track in lockstep — same CVE coverage, different supported branches. Anything running either branch should upgrade. The crypto/tls surface means TLS-terminating services are directly in scope, and the os-package fix is broad enough that deferring isn't a great bet.