Cmd Go
Monthly
The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.
The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.
Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.
The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.
The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.
Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.