CVE-2026-39822
cAdvisor Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-39822 is a Unix symbolic link (symlink) following vulnerability in the Go standard library's os.Root API that allows local attackers to bypass root directory restrictions and access files outside the intended root. On Unix systems, when a path's final component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), the os.Root implementation improperly follows the symlink to locations outside the designated root directory. The vulnerability affects Go standard library versions prior to 1.25.12, 1.26.0–1.26.4, and 1.27.0-rc.1. It was published on July 8, 2026, with a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, OSV).

Técnicas

The root cause is classified as CWE-61 (UNIX Symbolic Link Following), specifically an improper link resolution before file access in the os.Root type introduced in Go's standard library. When os.Root.Open() (or similar methods) receives a path whose final component is a symlink and the path string ends with a /, the implementation resolves the symlink without enforcing that the resolved target remains within the root directory boundary. This is a path traversal variant where the trailing slash causes the runtime to treat the symlink as a directory entry and follow it, bypassing the containment logic. Exploitation requires the attacker to have the ability to create or control symbolic links within a directory accessible to the vulnerable application (GitHub Advisory, Go Issue, Go CL).

Impacto

A local attacker who can create or control symbolic links within a directory accessible to a Go application using os.Root can read, write, or otherwise access files outside the intended root directory. This can lead to unauthorized disclosure of sensitive files (confidentiality impact: High), modification of files outside the sandbox (integrity impact: High), and potentially disruption of application or system functionality (availability impact: High). Applications that rely on os.Root for sandboxing or chroot-like containment — such as file servers, container runtimes, or multi-tenant services — are most at risk (GitHub Advisory, OSV).

Pasos de explotación

  1. Reconnaissance: Identify a target application built with a vulnerable version of the Go standard library (< 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1) that uses os.Root to sandbox file access.
  2. Gain local access: Obtain local user access to the system, sufficient to create files or symbolic links within a directory that the target application's root encompasses.
  3. Create a malicious symlink: Inside the os.Root-controlled directory, create a symbolic link pointing to a sensitive target outside the root, e.g., ln -s /etc/passwd /app/root/symlink.
  4. Trigger the vulnerable code path: Cause the application to call root.Open("symlink/") (with a trailing slash) — for example, by submitting a crafted filename or path to a file-serving endpoint.
  5. Access out-of-root content: The os.Root implementation follows the symlink due to the trailing slash, opening the target outside the root (e.g., /etc/passwd), allowing the attacker to read or write the file depending on application logic (GitHub Advisory, Go Issue).

Indicadores de compromiso

  • File System: Unexpected symbolic links within application root directories pointing to sensitive system paths (e.g., /etc/, /var/, /home/) — audit with find /app/root -type l -ls.
  • Logs: Application logs showing file access to paths outside the expected root directory; OS audit logs (e.g., auditd) recording file opens of sensitive files by the application process.
  • Process: Application processes accessing files such as /etc/passwd, /etc/shadow, or private key files that are outside their designated working directory, observable via strace, lsof, or auditd syscall monitoring.

Mitigación y soluciones alternativas

Upgrade to Go 1.25.12, 1.26.5, or 1.27.0-rc.2 (or later), which contain the fix for this vulnerability (Go CL, OSV). As a workaround, restrict the ability of untrusted users to create symbolic links in directories accessible to applications using os.Root (e.g., via filesystem permissions or mount options such as nosymfollow). Additionally, application-level validation of resolved paths before file operations can serve as a defense-in-depth measure. Rebuilding and redeploying Go applications with the patched toolchain is the recommended long-term remediation (GitHub Advisory).

Reacciones de la comunidad

The Go team disclosed the vulnerability via the golang-announce mailing list on July 8, 2026, alongside the release of patched versions (golang-announce). The issue was also reported to the oss-security mailing list (oss-sec). Tenable added detection via Nessus plugin 325627 shortly after disclosure. No significant broader media coverage or notable researcher commentary beyond standard vulnerability tracking has been observed at this time.

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado cAdvisor Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-39822HIGH7.8
  • cAdvisor logocAdvisor
  • netdata-fips-2.10
NoJul 08, 2026
CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • cpe:2.3:a:docker:engine
NoJun 12, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • datadog-agent-7.77
NoJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • cAdvisor logocAdvisor
  • crossplane-provider-gcp-beta-compute
NoJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
NoJul 01, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades