
PEACH
Un framework di isolamento del tenant
CVE-2026-39822 is a UNIX symbolic link (symlink) following vulnerability in the Go standard library's os package that allows a local attacker to escape a restricted root directory via crafted path traversal. On Unix systems, the os.Root file access abstraction improperly resolves symlinks when the final path component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), causing it to open the symlink target even when it points outside the intended root. The vulnerability affects Go versions before 1.25.12, versions 1.26.0 through 1.26.4, and the 1.27.0-rc.1 release candidate. It was published on July 8, 2026, and carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).
The root cause is classified as CWE-61 (UNIX Symbolic Link Following) and CWE-59 (Improper Link Resolution Before File Access). The os.Root API, introduced to provide sandboxed file access within a designated directory tree, fails to correctly handle the edge case where a path ends with a trailing slash and the final component is a symlink — the trailing slash causes the kernel to dereference the symlink as a directory, bypassing the root boundary check. An attacker with local filesystem write access can create a symlink inside the root pointing to a sensitive path outside it, then trigger a call to root.Open("symlink/") in a vulnerable Go application to access the out-of-bounds target. The fix is tracked in Go issue #79005 and applied via code review CL 797880 (GitHub Advisory, Go Vuln DB).
A local user with low privileges can read or open files outside the intended root directory by exploiting the symlink traversal, leading to unauthorized disclosure of sensitive files (confidentiality impact: High), potential modification of out-of-bounds files if the application performs write operations (integrity impact: High), and possible disruption of application behavior (availability impact: High). Any Go application that uses os.Root for sandboxed file access on Unix systems is potentially affected, including container runtimes, file servers, and build tools that rely on this API for isolation. Downstream packages such as Podman, Buildah, rclone, and gorush have been identified as affected consumers of the vulnerable Go standard library (GitHub Advisory, Red Hat Bugzilla).
os.Root for sandboxed file access and is built with Go < 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1.os.Root-controlled directory, create a symbolic link pointing to a sensitive path outside the root, e.g., ln -s /etc/shadow /app/rootdir/escape.root.Open("escape/") — with a trailing slash — which causes Go's os.Root to follow the symlink and open the target outside the root boundary./etc/shadow), achieving unauthorized file disclosure or manipulation depending on the application's subsequent operations (GitHub Advisory, Go Vuln DB)./etc/, /root/, /var/); newly created symlinks with trailing-slash-accessible names in directories writable by low-privileged users./ that resolve to unexpected locations; audit logs (auditd) recording file access events outside the expected root directory by the application process./etc/shadow, /etc/passwd) that are outside their designated working root; unexpected file read operations by container runtime processes (Podman, Buildah) on host filesystem paths.Upgrade to Go 1.25.12, Go 1.26.5, or Go 1.27.0-rc.2 or later, which contain the fix for this vulnerability (Go Vuln DB, golang-announce). Red Hat has issued multiple errata addressing this issue across RHEL 8, 9, and 10, including RHSA-2026:37435, RHSA-2026:37436, RHSA-2026:38493, RHSA-2026:38494, RHSA-2026:38495, RHSA-2026:38878, and RHSA-2026:38995 (Red Hat Bugzilla). SUSE has also released updates (SUSE-SU-2026:2817-1, SUSE-SU-2026:3046-1). As a workaround where patching is not immediately possible, restrict filesystem permissions to prevent untrusted local users from creating symlinks within application root directories, and consider enabling the fs.protected_symlinks kernel sysctl on Linux to limit symlink following.
The Go security team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database entry GO-2026-4970 (golang-announce). The issue was also discussed on the oss-security mailing list and received community attention on Reddit's r/pwnhub. Microsoft's Security Response Center acknowledged the CVE in their update guide. Multiple Linux distributions including Red Hat, SUSE, openSUSE, AlmaLinux, Rocky Linux, and Debian have issued security advisories and patches, reflecting broad ecosystem impact on Go-based tooling.
Fonte: Questo report è stato generato utilizzando l'intelligenza artificiale
Valutazione gratuita delle vulnerabilità
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."