Skip to main content

Go CVE-2025-61732

HIGH
Code Injection (CWE-94)
2026-02-05 security@golang.org
8.6
CVSS 3.1 · Vendor: golang
Share

Severity by source

Vendor (golang) PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.4 HIGH
qualitative

Primary rating from Vendor (golang).

CVSS VectorVendor: golang

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 10, 2026 - 15:17 nvd
Patch available
CVE Published
Feb 05, 2026 - 04:15 nvd
HIGH 8.6

DescriptionCVE.org

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

AnalysisAI

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. [CVSS 8.6 HIGH]

Technical ContextAI

Classified as CWE-94 (Code Injection). Affects Go. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

RemediationAI

A vendor patch is available — apply it immediately.

More in Go

View all
CVE-2016-5386 HIGH
8.1 Jul 19

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and there

CVE-2025-68121 CRITICAL POC
10.0 Feb 05

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mu

CVE-2019-14809 CRITICAL POC
9.8 Aug 13

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization by

CVE-2018-7187 HIGH POC
8.8 Feb 16

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import pa

CVE-2015-5739 CRITICAL
9.8 Oct 18

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allow

CVE-2020-0601 HIGH POC
8.1 Jan 14

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) c

CVE-2019-9634 HIGH POC
7.8 Mar 08

Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. Rated high severity (CVS

CVE-2018-6574 HIGH POC
7.8 Feb 07

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command executi

CVE-2025-61726 HIGH POC
7.5 Jan 28

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p

CVE-2022-2880 HIGH POC
7.5 Oct 14

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable param

CVE-2022-32189 HIGH POC
7.5 Aug 10

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and

CVE-2022-30634 HIGH POC
7.5 Jul 15

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite h

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.7 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.7 Image SL-Micro Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.5 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.6 Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.2 Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.35 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.59 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.48 Affected

Share

CVE-2025-61732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy