Skip to main content

Go toolchain cmd/go CVE-2026-39819

| EUVDEUVD-2026-28422 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-05-07 Go GHSA-5m4p-2gjx-p2g8
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 09, 2026 - 00:30 vuln.today
CVSS changed
May 08, 2026 - 22:22 NVD
5.3 (None) 5.3 (MEDIUM)
Patch available
May 07, 2026 - 21:02 EUVD
CVE Published
May 07, 2026 - 19:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 19:41 nvd
MEDIUM 5.3

DescriptionCVE.org

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

AnalysisAI

The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.

Technical ContextAI

The Go toolchain's 'go bug' command (used for generating bug reports) writes diagnostic data to two temporary files using predictable naming schemes in the system temp directory (typically /tmp on Unix-like systems). The underlying vulnerability exists because the command does not use secure temporary file creation mechanisms (such as mkstemp or O_CREAT with O_EXCL flags) to prevent symlink attacks. An attacker with write access to the temp directory can pre-create symlinks with the predictable filenames that the 'go bug' command expects to write to, causing the tool to overwrite the symlink targets instead. This is a classic TOCTOU (time-of-check-time-of-use) race condition. The affected component is the cmd/go package (cpe:2.3:a:go_toolchain:cmd/go), specifically the bug report generation functionality.

RemediationAI

Upgrade Go toolchain to version 1.26.3 or later (preferred) or 1.25.10 or later for users still on the 1.25 release branch. The patch is available from the official Go downloads at https://go.dev/dl/ and is confirmed in the Go security advisory at https://groups.google.com/g/golang-announce/c/qcCIEXso47M. No workarounds are available short of avoiding use of the 'go bug' command. Compensating controls in high-risk environments (shared build systems, multi-tenant CI/CD) include restricting write access to the system temp directory via filesystem permissions or SELinux/AppArmor policies, isolating build processes in separate containers or VMs with private temp directories, and using mount options (noexec, nodev, nosuid) on tmpfs mounts. These controls have minimal performance impact but may complicate legitimate system administration tasks.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-39819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy