Skip to main content

Go toolchain cmd/go CVE-2026-39817

| EUVDEUVD-2026-28421 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-07 Go GHSA-qc64-m6c2-v4x7
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 09, 2026 - 00:30 vuln.today
CVSS changed
May 08, 2026 - 22:22 NVD
5.9 (None) 5.9 (MEDIUM)
Patch available
May 07, 2026 - 21:02 EUVD
CVE Published
May 07, 2026 - 19:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 19:41 nvd
MEDIUM 5.9

DescriptionCVE.org

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

AnalysisAI

The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.

Technical ContextAI

The 'go tool pack' subcommand is an internal utility used primarily by the Go compiler to manipulate archive files (typically .a files containing compiled object code). The vulnerability stems from insufficient validation of output filenames during archive extraction, falling under the path traversal/arbitrary file write category. The affected product is identified by CPE cpe:2.3:a:go_toolchain:cmd/go, which encompasses the command-line interface and associated tooling. The flaw allows an attacker to craft a malicious archive containing relative path entries (such as '../../../etc/passwd') that, when extracted by the pack subcommand, bypass intended filesystem boundaries and write files outside the intended extraction directory.

RemediationAI

Upgrade Go to version 1.26.3 or later for the 1.26.x branch, or to version 1.25.10 or later for the 1.25.x branch. Vendor patch is confirmed available per the references at https://go.dev/cl/767520 and announcement at https://groups.google.com/g/golang-announce/c/qcCIEXso47M. For environments unable to upgrade immediately, restrict use of the 'go tool pack' subcommand to known-good, trusted archive sources only. Do not permit extraction of archives from untrusted or external sources using this tool. Disable or isolate systems where the pack subcommand might be invoked by non-administrator users on potentially malicious archives. These compensating controls mitigate the attack by reducing the attack surface but do not eliminate the vulnerability; patching is the definitive remediation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-39817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy