Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local escape requiring the attacker to place a symlink inside the root (PR:L, AV:L, AC:L); following it outside enables reading and overwriting arbitrary reachable files, so C/I/A:H with unchanged scope.
Primary rating from Vendor (Go).
CVSS VectorVendor: Go
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.
AnalysisAI
Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of: a Unix (non-Windows) target; an application that uses the os.Root API as a security boundary; and an attacker able to (a) cause a symbolic link to exist as the final path component within the root and (b) supply an os.Root path whose final component is that symlink and which ends in a trailing slash ('/'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) describes a local, low-privilege attacker achieving high confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Go service uses os.Root to sandbox a directory and reads or writes files based on untrusted input paths. An attacker who can create a symbolic link inside that directory (or influence a path resolving to one) requests it with a trailing slash, causing os.Root to follow the link to a sensitive location outside the root and read or overwrite files there. … |
| Remediation | Vendor-released patch: upgrade the Go toolchain to 1.25.12, 1.26.5, or 1.27.0-rc.2 (or later) and rebuild affected applications, since the fix ships in the standard library (fix commit https://go.dev/cl/797880, tracking issue https://go.dev/issue/79005, advisory https://pkg.go.dev/vuln/GO-2026-4970). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all production Go applications to identify those using os.Root API and document which are running Go versions prior to 1.25.12, 1.26.5, or 1.27.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42316
GHSA-xcgv-8mv7-v8c7