What is the CVSS score of CVE-2025-61732?

CVE-2025-61732 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Golang are affected by CVE-2025-61732?

CVE-2025-61732 affects applications built with Go's cgo functionality, allowing attackers to inject malicious code into compiled binaries through comment parsing manipulation.. A patch is available.

How to fix or mitigate CVE-2025-61732?

Within 24 hours: Identify all applications using Go with cgo dependencies and assess exposure. Within 7 days: Apply available patches to affected Go installations and rebuild all cgo-dependent binaries. Within 30 days: Conduct code review of recent builds, verify binary integrity, and implement controls to prevent unauthorized cgo modifications in development pipelines.

Golang CVE-2025-61732

HIGH

Code Injection (CWE-94)

2026-02-05 security@golang.org

Golang Red Hat Go Suse

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch released

Feb 10, 2026 - 15:17 nvd

Patch available

CVE Published

Feb 05, 2026 - 04:15 nvd

HIGH 8.6

DescriptionNVD

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

AnalysisAI

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. [CVSS 8.6 HIGH]

Technical ContextAI

Classified as CWE-94 (Code Injection). Affects Go. A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.