9

CVE-2026-27140

Code execution vulnerability in SWIG code generation in cmd/go

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.25.9
GolangGo Version >= 1.26.0 < 1.26.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.66% 0.469
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 9 2.3 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE-641 Improper Restriction of Names for Files and Other Resources

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://go.dev/cl/763768
Release Notes
https://go.dev/issue/78335
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2456341
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27140.json
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
Mailing List
Release Notes
https://access.redhat.com/errata/RHSA-2026:10217
https://access.redhat.com/errata/RHSA-2026:10219
https://access.redhat.com/errata/RHSA-2026:10704
https://access.redhat.com/errata/RHSA-2026:16021
https://access.redhat.com/errata/RHSA-2026:16024
https://access.redhat.com/errata/RHSA-2026:23246
https://access.redhat.com/errata/RHSA-2026:25182
https://access.redhat.com/errata/RHSA-2026:34099
https://pkg.go.dev/vuln/GO-2026-4871
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:16494
https://access.redhat.com/errata/RHSA-2026:16497
https://access.redhat.com/errata/RHSA-2026:16498
https://access.redhat.com/errata/RHSA-2026:16694
https://access.redhat.com/errata/RHSA-2026:16697
https://access.redhat.com/errata/RHSA-2026:16698
https://access.redhat.com/security/cve/CVE-2026-27140