Skip to main content

Cmd Go EUVDEUVD-2026-20002

| CVE-2026-27140 HIGH
Incorrect Authorization (CWE-863)
2026-04-08 Go
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
9.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 16, 2026 - 19:37 vuln.today
cvss_changed
Analysis Generated
Apr 13, 2026 - 14:22 vuln.today
CVSS changed
Apr 13, 2026 - 14:22 NVD
8.8 (HIGH)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20002
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionNVD

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

AnalysisAI

Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.

Technical ContextAI

SWIG (Simplified Wrapper and Interface Generator) is used in Go to interface with C/C++ libraries. The Go build tool (cmd/go) processes SWIG files during compilation, particularly when using cgo for C interoperability. This vulnerability exploits insufficient validation of SWIG filenames containing the string 'cgo', allowing attackers to bypass trust boundaries in the build process. By crafting filenames and payloads that exploit this naming pattern, malicious code can be injected and executed with the privileges of the build process. The affected component is cpe:2.3:a:go_toolchain:cmd/go, specifically the build chain's handling of foreign function interface files. This represents a supply chain attack vector where poisoned dependencies or repositories could compromise developer workstations and build infrastructure at compilation time.

RemediationAI

Vendor-released patches available: upgrade Go toolchain to version 1.25.9 or later for the 1.25.x series, or version 1.26.2 or later for the 1.26.x series. Upgrading cmd/go eliminates the vulnerable SWIG filename parsing logic. Download patches from official Go release channels referenced in the security announcement at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU. For environments unable to immediately upgrade, implement defensive measures including strict dependency review before building external packages, isolated build environments with limited privileges, and repository verification to ensure source integrity. Review build logs for unexpected SWIG file processing. The upstream fix is documented in Go change https://go.dev/cl/763768 addressing issue https://go.dev/issue/78335.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-20002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy