diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 5170068ca2..ee268a45d4 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -34,9 +34,9 @@
 # Keep versions on both arches in sync.
 =app-emulation/qemu-guest-agent-9.2.0 ~arm64
 
-# Needed to address CVE-2025-22871 and to bring in a patch disabling
-# gold linker on arm64.
-=dev-lang/go-1.24.2-r1 ~amd64 ~arm64
+# Needed to address CVE-2025-22871, bring in a patch disabling gold linker on
+# arm64, and fix a segfault concerning vgetrandom.
+=dev-lang/go-1.24.2-r2 ~amd64 ~arm64
 
 # Needed to address CVE-2024-56406.
 =dev-lang/perl-5.40.2 ~amd64 ~arm64
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest b/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest
index fc05341cc0..23d57986ce 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/Manifest
@@ -1,3 +1,2 @@
-DIST go1.23.7.src.tar.gz 28181215 BLAKE2B d3c9bff18438f90f6730e1ad9580a3f97d266f90533552cd73b63b512c694de76466435f274dc2b190c672cdbd83ffaf735e4e74c12e426cac920b81dbfd88af SHA512 79192b760ab6fcc9512fd879a9484a3566fdeec5eace36c54b728cd9cb033e7ac68065a42fc657b351a106d684b79fdbefbf682cf63209c0191e7e7c8c0a0147
 DIST go1.23.8.src.tar.gz 28182772 BLAKE2B 568b9fcc7ed12cb19e10b458fc1890a5977c97660657e9eb7c171aa16382f6790a78cb87df99ed72ec18d5ff1654ee4d15a4d603332ad0812ee97f6500866198 SHA512 8e352a01484c168894026080ee4501180e327d734fb3d892ab17daac193964fcd5fd90033c9cf86d6ffe8b7e4da64bda83ba4501a6c05919bcefbe9e2467c771
 DIST go1.24.2.src.tar.gz 30787666 BLAKE2B bb5f998a87e6527def304347b854c4addb0860a03da82e711f60e2af460bd43c36273b25126c643a679ae22fca226e6a4fc5ba55967d21965ffdc8f564781e35 SHA512 6366a32f6678e7908b138f62dafeed96f7144b3b93505e75fba374b33727da8b1d087c1f979f493382b319758ebfcbeb30e9d7dadcb2923b628c8abe7db41c6f
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.24-vgetrandom.patch b/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.24-vgetrandom.patch
new file mode 100644
index 0000000000..5baed139a0
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/files/go-1.24-vgetrandom.patch
@@ -0,0 +1,234 @@
+From ff2636f45e0087a1c6d8e895257d9c4729710811 Mon Sep 17 00:00:00 2001
+From: Michael Pratt <mpratt@google.com>
+Date: Thu, 03 Apr 2025 03:26:25 +0000
+Subject: [PATCH] [release-branch.go1.24] runtime: cleanup M vgetrandom state before dropping P
+
+When an M is destroyed, we put its vgetrandom state back on the shared
+list for another M to reuse. This list is simply a slice, so appending
+to the slice may allocate. Currently this operation is performed in
+mdestroy, after the P is released, meaning allocation is not allowed.
+
+More the cleanup earlier in mdestroy when allocation is still OK.
+
+Also add //go:nowritebarrierrec to mdestroy since it runs without a P,
+which would have caught this bug.
+
+Fixes #73144.
+For #73141.
+
+Change-Id: I6a6a636c3fbf5c6eec09d07a260e39dbb4d2db12
+Reviewed-on: https://go-review.googlesource.com/c/go/+/662455
+Reviewed-by: Jason Donenfeld <Jason@zx2c4.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Keith Randall <khr@golang.org>
+Reviewed-by: Keith Randall <khr@google.com>
+(cherry picked from commit 0b31e6d4cc804ab76ae8ced151ee2f50657aec14)
+---
+
+diff --git a/src/runtime/os3_solaris.go b/src/runtime/os3_solaris.go
+index cf163a6..ded821b 100644
+--- a/src/runtime/os3_solaris.go
++++ b/src/runtime/os3_solaris.go
+@@ -234,8 +234,11 @@
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_aix.go b/src/runtime/os_aix.go
+index 93464cb..1b483c2 100644
+--- a/src/runtime/os_aix.go
++++ b/src/runtime/os_aix.go
+@@ -186,8 +186,11 @@
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_darwin.go b/src/runtime/os_darwin.go
+index 0ecbea7..6eab3b5 100644
+--- a/src/runtime/os_darwin.go
++++ b/src/runtime/os_darwin.go
+@@ -344,8 +344,11 @@
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_dragonfly.go b/src/runtime/os_dragonfly.go
+index a02696e..9b32350 100644
+--- a/src/runtime/os_dragonfly.go
++++ b/src/runtime/os_dragonfly.go
+@@ -216,8 +216,11 @@
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_linux.go b/src/runtime/os_linux.go
+index 8b3c4d0..fb46b81 100644
+--- a/src/runtime/os_linux.go
++++ b/src/runtime/os_linux.go
+@@ -412,13 +412,12 @@
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+-	if mp.vgetrandomState != 0 {
+-		vgetrandomPutState(mp.vgetrandomState)
+-		mp.vgetrandomState = 0
+-	}
+ }
+ 
+ // #ifdef GOARCH_386
+diff --git a/src/runtime/os_netbsd.go b/src/runtime/os_netbsd.go
+index 735ace2..a06e5fe 100644
+--- a/src/runtime/os_netbsd.go
++++ b/src/runtime/os_netbsd.go
+@@ -320,8 +320,11 @@
+ 	// must continue working after unminit.
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_openbsd.go b/src/runtime/os_openbsd.go
+index 574bfa8..4ce4c3c 100644
+--- a/src/runtime/os_openbsd.go
++++ b/src/runtime/os_openbsd.go
+@@ -182,8 +182,11 @@
+ 	getg().m.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_plan9.go b/src/runtime/os_plan9.go
+index 2dbb42a..3b5965a 100644
+--- a/src/runtime/os_plan9.go
++++ b/src/runtime/os_plan9.go
+@@ -217,8 +217,11 @@
+ func unminit() {
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
++//
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ func mdestroy(mp *m) {
+ }
+ 
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+index 7183e79..54407a3 100644
+--- a/src/runtime/os_windows.go
++++ b/src/runtime/os_windows.go
+@@ -906,9 +906,11 @@
+ 	mp.procid = 0
+ }
+ 
+-// Called from exitm, but not from drop, to undo the effect of thread-owned
++// Called from mexit, but not from dropm, to undo the effect of thread-owned
+ // resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
+ //
++// This always runs without a P, so //go:nowritebarrierrec is required.
++//go:nowritebarrierrec
+ //go:nosplit
+ func mdestroy(mp *m) {
+ 	if mp.highResTimer != 0 {
+diff --git a/src/runtime/proc.go b/src/runtime/proc.go
+index e9873e5..21bee4d 100644
+--- a/src/runtime/proc.go
++++ b/src/runtime/proc.go
+@@ -1935,6 +1935,9 @@
+ 		mp.gsignal = nil
+ 	}
+ 
++	// Free vgetrandom state.
++	vgetrandomDestroy(mp)
++
+ 	// Remove m from allm.
+ 	lock(&sched.lock)
+ 	for pprev := &allm; *pprev != nil; pprev = &(*pprev).alllink {
+diff --git a/src/runtime/vgetrandom_linux.go b/src/runtime/vgetrandom_linux.go
+index a6ec4b7..40be022 100644
+--- a/src/runtime/vgetrandom_linux.go
++++ b/src/runtime/vgetrandom_linux.go
+@@ -73,9 +73,16 @@
+ 	return state
+ }
+ 
+-func vgetrandomPutState(state uintptr) {
++// Free vgetrandom state from the M (if any) prior to destroying the M.
++//
++// This may allocate, so it must have a P.
++func vgetrandomDestroy(mp *m) {
++	if mp.vgetrandomState == 0 {
++		return
++	}
++
+ 	lock(&vgetrandomAlloc.statesLock)
+-	vgetrandomAlloc.states = append(vgetrandomAlloc.states, state)
++	vgetrandomAlloc.states = append(vgetrandomAlloc.states, mp.vgetrandomState)
+ 	unlock(&vgetrandomAlloc.statesLock)
+ }
+ 
+diff --git a/src/runtime/vgetrandom_unsupported.go b/src/runtime/vgetrandom_unsupported.go
+index 070392c..43c53e1 100644
+--- a/src/runtime/vgetrandom_unsupported.go
++++ b/src/runtime/vgetrandom_unsupported.go
+@@ -13,6 +13,6 @@
+ 	return -1, false
+ }
+ 
+-func vgetrandomPutState(state uintptr) {}
++func vgetrandomDestroy(mp *m) {}
+ 
+ func vgetrandomInit() {}
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.7.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.7.ebuild
deleted file mode 100644
index e51a36bbc3..0000000000
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.7.ebuild
+++ /dev/null
@@ -1,163 +0,0 @@
-# Copyright 1999-2025 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-export CBUILD=${CBUILD:-${CHOST}}
-export CTARGET=${CTARGET:-${CHOST}}
-
-# See "Bootstrap" in release notes
-GO_BOOTSTRAP_MIN=1.20.14
-MY_PV=${PV/_/}
-
-inherit go-env toolchain-funcs
-
-case ${PV}  in
-*9999*)
-	EGIT_REPO_URI="https://github.com/golang/go.git"
-	inherit git-r3
-	;;
-*)
-	SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
-	S="${WORKDIR}"/go
-	case ${PV} in
-	*_beta*|*_rc*) ;;
-	*)
-		KEYWORDS="-* amd64 arm arm64 ~loong ~mips ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
-		;;
-	esac
-esac
-
-DESCRIPTION="A concurrent garbage collected and typesafe programming language"
-HOMEPAGE="https://go.dev"
-
-LICENSE="BSD"
-SLOT="0/${PV}"
-IUSE="cpu_flags_x86_sse2"
-
-RDEPEND="
-arm? ( sys-devel/binutils[gold(-)] )
-arm64? ( sys-devel/binutils[gold(-)] )"
-BDEPEND="|| (
-		>=dev-lang/go-${GO_BOOTSTRAP_MIN}
-		>=dev-lang/go-bootstrap-${GO_BOOTSTRAP_MIN} )"
-
-# the *.syso files have writable/executable stacks
-QA_EXECSTACK='*.syso'
-
-# Do not complain about CFLAGS, etc, since Go doesn't use them.
-QA_FLAGS_IGNORED='.*'
-
-# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
-QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
-
-# This package triggers "unrecognized elf file(s)" notices on riscv.
-# https://bugs.gentoo.org/794046
-QA_PREBUILT='.*'
-
-# Do not strip this package. Stripping is unsupported upstream and may
-# fail.
-RESTRICT=" strip"
-
-DOCS=(
-	CONTRIBUTING.md
-	PATENTS
-	README.md
-	SECURITY.md
-)
-
-go_tuple() {
-	echo "$(go-env_goos $@)_$(go-env_goarch $@)"
-}
-
-go_cross_compile() {
-	[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
-}
-
-PATCHES=(
-	"${FILESDIR}"/go-1.24-skip-gdb-tests.patch
-	"${FILESDIR}"/go-never-download-newer-toolchains.patch
-)
-
-src_compile() {
-	if has_version -b ">=dev-lang/go-${GO_BOOTSTRAP_MIN}"; then
-		export GOROOT_BOOTSTRAP="${BROOT}/usr/lib/go"
-	elif has_version -b ">=dev-lang/go-bootstrap-${GO_BOOTSTRAP_MIN}"; then
-		export GOROOT_BOOTSTRAP="${BROOT}/usr/lib/go-bootstrap"
-	else
-		eerror "Go cannot be built without go or go-bootstrap installed"
-		die "Should not be here, please report a bug"
-	fi
-
-	# Go's build script does not use BUILD/HOST/TARGET consistently. :(
-	export GOHOSTARCH=$(go-env_goarch ${CBUILD})
-	export GOHOSTOS=$(go-env_goos ${CBUILD})
-	export CC=$(tc-getBUILD_CC)
-
-	export GOARCH=$(go-env_goarch)
-	export GOOS=$(go-env_goos)
-	export CC_FOR_TARGET=$(tc-getCC)
-	export CXX_FOR_TARGET=$(tc-getCXX)
-	use arm && export GOARM=$(go-env_goarm)
-	use x86 && export GO386=$(go-env_go386)
-
-	cd src
-	bash -x ./make.bash || die "build failed"
-}
-
-src_test() {
-	go_cross_compile && return 0
-
-	cd src
-
-	# https://github.com/golang/go/issues/42005
-	rm cmd/link/internal/ld/fallocate_test.go || die
-
-	PATH="${GOBIN}:${PATH}" \
-	./run.bash -no-rebuild -k || die "tests failed"
-	cd ..
-	rm -fr pkg/*_race || die
-	rm -fr pkg/obj/go-build || die
-}
-
-src_install() {
-	dodir /usr/lib/go
-	# The use of cp is deliberate in order to retain permissions
-	cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
-	einstalldocs
-
-	insinto /usr/lib/go
-	doins go.env VERSION*
-
-	# testdata directories are not needed on the installed system
-	rm -fr $(find "${ED}"/usr/lib/go -iname testdata -type d -print)
-
-	local bin_path
-	if go_cross_compile; then
-		bin_path="bin/$(go_tuple)"
-	else
-		bin_path=bin
-	fi
-	local f x
-	for x in ${bin_path}/*; do
-		f=${x##*/}
-		dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
-	done
-
-	# install the @golang-rebuild set for Portage
-	insinto /usr/share/portage/config/sets
-	newins "${FILESDIR}"/go-sets.conf go.conf
-}
-
-pkg_postinst() {
-	[[ -z ${REPLACING_VERSIONS} ]] && return
-	elog "After ${CATEGORY}/${PN} is updated it is recommended to rebuild"
-	elog "all packages compiled with previous versions of ${CATEGORY}/${PN}"
-	elog "due to the static linking nature of go."
-	elog "If this is not done, the packages compiled with the older"
-	elog "version of the compiler will not be updated until they are"
-	elog "updated individually, which could mean they will have"
-	elog "vulnerabilities."
-	elog "Run 'emerge @golang-rebuild' to rebuild all 'go' packages"
-	elog "See https://bugs.gentoo.org/752153 for more info"
-}
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.8.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.8.ebuild
index 240ec7d23b..e51a36bbc3 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.8.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.23.8.ebuild
@@ -23,7 +23,7 @@ case ${PV}  in
 	case ${PV} in
 	*_beta*|*_rc*) ;;
 	*)
-		KEYWORDS="-* amd64 arm ~arm64 ~loong ~mips ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
+		KEYWORDS="-* amd64 arm arm64 ~loong ~mips ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
 		;;
 	esac
 esac
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.2-r2.ebuild
similarity index 98%
rename from sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.2-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.2-r2.ebuild
index 2be24178ea..be97c05657 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.2-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/go/go-1.24.2-r2.ebuild
@@ -69,6 +69,7 @@ go_cross_compile() {
 
 PATCHES=(
 	"${FILESDIR}"/go-1.24-skip-gdb-tests.patch
+	"${FILESDIR}"/go-1.24-vgetrandom.patch
 	"${FILESDIR}"/go-1.24-dont-force-gold-arm.patch
 	"${FILESDIR}"/go-never-download-newer-toolchains.patch
 )