Skip to main content

Go standard library CVE-2026-39822

| EUVDEUVD-2026-42316 HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-07-08 Go GHSA-xcgv-8mv7-v8c7
7.8
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local escape requiring the attacker to place a symlink inside the root (PR:L, AV:L, AC:L); following it outside enables reading and overwriting arbitrary reachable files, so C/I/A:H with unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 08, 2026 - 20:39 vuln.today
CVSS changed
Jul 08, 2026 - 20:22 NVD
7.8 (HIGH)
Patch available
Jul 08, 2026 - 18:02 EUVD
CVE Published
Jul 08, 2026 - 15:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

AnalysisAI

Sandbox escape in the Go standard library's os.Root API (os package) on Unix systems allows filesystem operations meant to be confined to a directory to reach files outside it. When a path's final component is a symbolic link and the path ends in a trailing slash (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access inside os.Root directory
Delivery
Plant symlink pointing outside root
Exploit
Request symlink path with trailing slash
Execution
os.Root follows symlink past boundary
Impact
Read or overwrite files outside sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires all of: a Unix (non-Windows) target; an application that uses the os.Root API as a security boundary; and an attacker able to (a) cause a symbolic link to exist as the final path component within the root and (b) supply an os.Root path whose final component is that symlink and which ends in a trailing slash ('/'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) describes a local, low-privilege attacker achieving high confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Go service uses os.Root to sandbox a directory and reads or writes files based on untrusted input paths. An attacker who can create a symbolic link inside that directory (or influence a path resolving to one) requests it with a trailing slash, causing os.Root to follow the link to a sensitive location outside the root and read or overwrite files there. …
Remediation Vendor-released patch: upgrade the Go toolchain to 1.25.12, 1.26.5, or 1.27.0-rc.2 (or later) and rebuild affected applications, since the fix ships in the standard library (fix commit https://go.dev/cl/797880, tracking issue https://go.dev/issue/79005, advisory https://pkg.go.dev/vuln/GO-2026-4970). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all production Go applications to identify those using os.Root API and document which are running Go versions prior to 1.25.12, 1.26.5, or 1.27.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy