CVE-2026-39822

Go · Go standard library os

A symlink following vulnerability exists in the Go standard library 'os' package on Unix systems, which could lead to unauthorized file access or modification.

Executive summary

A symlink following vulnerability in the Go standard library on Unix systems allows authenticated attackers to potentially gain unauthorized access to or modify files.

Vulnerability

This is a CWE-61 Unix Symbolic Link (Symlink) following vulnerability. The 'os' package fails to properly handle symlinks during file operations, allowing an attacker with local access to manipulate file paths.

Business impact

An attacker capable of influencing file operations could potentially bypass intended file permissions, leading to unauthorized read or write access to sensitive files on the host system. With a CVSS score of 7.8, this vulnerability poses a substantial risk to systems running Go-based applications, potentially facilitating privilege escalation or data corruption.

Remediation

Immediate Action: Update all Go development environments and compiled applications to the specified patched versions provided in the vendor security advisory.

Proactive Monitoring: Monitor system logs for unexpected file system access patterns or errors related to symlink resolution in applications utilizing the 'os' package.

Compensating Controls: Implement strict file system permissions and use containerization or sandboxing to restrict the reach of applications that might interact with untrusted symlinks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Developers and system administrators must prioritize patching the Go runtime to mitigate this local file system vulnerability. Recompiling applications with the updated Go toolchain is essential to ensure that the security fix is correctly integrated into the affected binaries.