CVE-2026-39822
Go Schwachstellenanalyse und -minderung

Überblick

CVE-2026-39822 is a UNIX symbolic link (symlink) following vulnerability in the Go standard library's os package that allows a local attacker to escape a restricted root directory via crafted path traversal. On Unix systems, the os.Root file access abstraction improperly resolves symlinks when the final path component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), causing it to open the symlink target even when it points outside the intended root. The vulnerability affects Go versions before 1.25.12, versions 1.26.0 through 1.26.4, and the 1.27.0-rc.1 release candidate. It was published on July 8, 2026, and carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

Technische Details

The root cause is classified as CWE-61 (UNIX Symbolic Link Following) and CWE-59 (Improper Link Resolution Before File Access). The os.Root API, introduced to provide sandboxed file access within a designated directory tree, fails to correctly handle the edge case where a path ends with a trailing slash and the final component is a symlink — the trailing slash causes the kernel to dereference the symlink as a directory, bypassing the root boundary check. An attacker with local filesystem write access can create a symlink inside the root pointing to a sensitive path outside it, then trigger a call to root.Open("symlink/") in a vulnerable Go application to access the out-of-bounds target. The fix is tracked in Go issue #79005 and applied via code review CL 797880 (GitHub Advisory, Go Vuln DB).

Aufprall

A local user with low privileges can read or open files outside the intended root directory by exploiting the symlink traversal, leading to unauthorized disclosure of sensitive files (confidentiality impact: High), potential modification of out-of-bounds files if the application performs write operations (integrity impact: High), and possible disruption of application behavior (availability impact: High). Any Go application that uses os.Root for sandboxed file access on Unix systems is potentially affected, including container runtimes, file servers, and build tools that rely on this API for isolation. Downstream packages such as Podman, Buildah, rclone, and gorush have been identified as affected consumers of the vulnerable Go standard library (GitHub Advisory, Red Hat Bugzilla).

Ausnutzungsschritte

  1. Identify a vulnerable target: Locate a Go application running on a Unix system that uses os.Root for sandboxed file access and is built with Go < 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1.
  2. Gain local write access: Obtain low-privileged local access to the system (e.g., via a shell account or a separate vulnerability) sufficient to create files within the application's root directory.
  3. Create a malicious symlink: Inside the os.Root-controlled directory, create a symbolic link pointing to a sensitive path outside the root, e.g., ln -s /etc/shadow /app/rootdir/escape.
  4. Trigger the vulnerable code path: Cause the application to call root.Open("escape/") — with a trailing slash — which causes Go's os.Root to follow the symlink and open the target outside the root boundary.
  5. Access out-of-bounds data: Read or interact with the file at the symlink target (e.g., /etc/shadow), achieving unauthorized file disclosure or manipulation depending on the application's subsequent operations (GitHub Advisory, Go Vuln DB).

Indikatoren für Kompromittierung

  • File System: Unexpected symbolic links within application root directories pointing to paths outside the intended sandbox (e.g., /etc/, /root/, /var/); newly created symlinks with trailing-slash-accessible names in directories writable by low-privileged users.
  • Logs: Application logs showing file open operations on paths ending with / that resolve to unexpected locations; audit logs (auditd) recording file access events outside the expected root directory by the application process.
  • Process: Go application processes accessing files in sensitive system directories (e.g., /etc/shadow, /etc/passwd) that are outside their designated working root; unexpected file read operations by container runtime processes (Podman, Buildah) on host filesystem paths.

Risikominderung und Problemumgehungen

Upgrade to Go 1.25.12, Go 1.26.5, or Go 1.27.0-rc.2 or later, which contain the fix for this vulnerability (Go Vuln DB, golang-announce). Red Hat has issued multiple errata addressing this issue across RHEL 8, 9, and 10, including RHSA-2026:37435, RHSA-2026:37436, RHSA-2026:38493, RHSA-2026:38494, RHSA-2026:38495, RHSA-2026:38878, and RHSA-2026:38995 (Red Hat Bugzilla). SUSE has also released updates (SUSE-SU-2026:2817-1, SUSE-SU-2026:3046-1). As a workaround where patching is not immediately possible, restrict filesystem permissions to prevent untrusted local users from creating symlinks within application root directories, and consider enabling the fs.protected_symlinks kernel sysctl on Linux to limit symlink following.

Reaktionen der Community

The Go security team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database entry GO-2026-4970 (golang-announce). The issue was also discussed on the oss-security mailing list and received community attention on Reddit's r/pwnhub. Microsoft's Security Response Center acknowledged the CVE in their update guide. Multiple Linux distributions including Red Hat, SUSE, openSUSE, AlmaLinux, Rocky Linux, and Debian have issued security advisories and patches, reflecting broad ecosystem impact on Go-based tooling.

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt Go Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NeinJaJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NeinJaJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NeinJaJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NeinJaJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NeinJaJun 02, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement