CVE-2026-39822
Go Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-39822 is a UNIX symbolic link (symlink) following vulnerability in the Go standard library's os package that allows a local attacker to escape a restricted root directory via crafted path traversal. On Unix systems, the os.Root file access abstraction improperly resolves symlinks when the final path component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), causing it to open the symlink target even when it points outside the intended root. The vulnerability affects Go versions before 1.25.12, versions 1.26.0 through 1.26.4, and the 1.27.0-rc.1 release candidate. It was published on July 8, 2026, and carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

Détails techniques

The root cause is classified as CWE-61 (UNIX Symbolic Link Following) and CWE-59 (Improper Link Resolution Before File Access). The os.Root API, introduced to provide sandboxed file access within a designated directory tree, fails to correctly handle the edge case where a path ends with a trailing slash and the final component is a symlink — the trailing slash causes the kernel to dereference the symlink as a directory, bypassing the root boundary check. An attacker with local filesystem write access can create a symlink inside the root pointing to a sensitive path outside it, then trigger a call to root.Open("symlink/") in a vulnerable Go application to access the out-of-bounds target. The fix is tracked in Go issue #79005 and applied via code review CL 797880 (GitHub Advisory, Go Vuln DB).

Impact

A local user with low privileges can read or open files outside the intended root directory by exploiting the symlink traversal, leading to unauthorized disclosure of sensitive files (confidentiality impact: High), potential modification of out-of-bounds files if the application performs write operations (integrity impact: High), and possible disruption of application behavior (availability impact: High). Any Go application that uses os.Root for sandboxed file access on Unix systems is potentially affected, including container runtimes, file servers, and build tools that rely on this API for isolation. Downstream packages such as Podman, Buildah, rclone, and gorush have been identified as affected consumers of the vulnerable Go standard library (GitHub Advisory, Red Hat Bugzilla).

Étapes d’exploitation

  1. Identify a vulnerable target: Locate a Go application running on a Unix system that uses os.Root for sandboxed file access and is built with Go < 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1.
  2. Gain local write access: Obtain low-privileged local access to the system (e.g., via a shell account or a separate vulnerability) sufficient to create files within the application's root directory.
  3. Create a malicious symlink: Inside the os.Root-controlled directory, create a symbolic link pointing to a sensitive path outside the root, e.g., ln -s /etc/shadow /app/rootdir/escape.
  4. Trigger the vulnerable code path: Cause the application to call root.Open("escape/") — with a trailing slash — which causes Go's os.Root to follow the symlink and open the target outside the root boundary.
  5. Access out-of-bounds data: Read or interact with the file at the symlink target (e.g., /etc/shadow), achieving unauthorized file disclosure or manipulation depending on the application's subsequent operations (GitHub Advisory, Go Vuln DB).

Indicateurs de compromis

  • File System: Unexpected symbolic links within application root directories pointing to paths outside the intended sandbox (e.g., /etc/, /root/, /var/); newly created symlinks with trailing-slash-accessible names in directories writable by low-privileged users.
  • Logs: Application logs showing file open operations on paths ending with / that resolve to unexpected locations; audit logs (auditd) recording file access events outside the expected root directory by the application process.
  • Process: Go application processes accessing files in sensitive system directories (e.g., /etc/shadow, /etc/passwd) that are outside their designated working root; unexpected file read operations by container runtime processes (Podman, Buildah) on host filesystem paths.

Atténuation et solutions de contournement

Upgrade to Go 1.25.12, Go 1.26.5, or Go 1.27.0-rc.2 or later, which contain the fix for this vulnerability (Go Vuln DB, golang-announce). Red Hat has issued multiple errata addressing this issue across RHEL 8, 9, and 10, including RHSA-2026:37435, RHSA-2026:37436, RHSA-2026:38493, RHSA-2026:38494, RHSA-2026:38495, RHSA-2026:38878, and RHSA-2026:38995 (Red Hat Bugzilla). SUSE has also released updates (SUSE-SU-2026:2817-1, SUSE-SU-2026:3046-1). As a workaround where patching is not immediately possible, restrict filesystem permissions to prevent untrusted local users from creating symlinks within application root directories, and consider enabling the fs.protected_symlinks kernel sysctl on Linux to limit symlink following.

Réactions de la communauté

The Go security team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database entry GO-2026-4970 (golang-announce). The issue was also discussed on the oss-security mailing list and received community attention on Reddit's r/pwnhub. Microsoft's Security Response Center acknowledged the CVE in their update guide. Multiple Linux distributions including Red Hat, SUSE, openSUSE, AlmaLinux, Rocky Linux, and Debian have issued security advisories and patches, reflecting broad ecosystem impact on Go-based tooling.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Go Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NonOuiJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NonOuiJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NonOuiJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NonOuiJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NonOuiJun 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités