CVE-2026-39822
Go Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2026-39822 is a UNIX symbolic link (symlink) following vulnerability in the Go standard library's os package that allows a local attacker to escape a restricted root directory via crafted path traversal. On Unix systems, the os.Root file access abstraction improperly resolves symlinks when the final path component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), causing it to open the symlink target even when it points outside the intended root. The vulnerability affects Go versions before 1.25.12, versions 1.26.0 through 1.26.4, and the 1.27.0-rc.1 release candidate. It was published on July 8, 2026, and carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

Dettagli tecnici

The root cause is classified as CWE-61 (UNIX Symbolic Link Following) and CWE-59 (Improper Link Resolution Before File Access). The os.Root API, introduced to provide sandboxed file access within a designated directory tree, fails to correctly handle the edge case where a path ends with a trailing slash and the final component is a symlink — the trailing slash causes the kernel to dereference the symlink as a directory, bypassing the root boundary check. An attacker with local filesystem write access can create a symlink inside the root pointing to a sensitive path outside it, then trigger a call to root.Open("symlink/") in a vulnerable Go application to access the out-of-bounds target. The fix is tracked in Go issue #79005 and applied via code review CL 797880 (GitHub Advisory, Go Vuln DB).

Impatto

A local user with low privileges can read or open files outside the intended root directory by exploiting the symlink traversal, leading to unauthorized disclosure of sensitive files (confidentiality impact: High), potential modification of out-of-bounds files if the application performs write operations (integrity impact: High), and possible disruption of application behavior (availability impact: High). Any Go application that uses os.Root for sandboxed file access on Unix systems is potentially affected, including container runtimes, file servers, and build tools that rely on this API for isolation. Downstream packages such as Podman, Buildah, rclone, and gorush have been identified as affected consumers of the vulnerable Go standard library (GitHub Advisory, Red Hat Bugzilla).

Passaggi di sfruttamento

  1. Identify a vulnerable target: Locate a Go application running on a Unix system that uses os.Root for sandboxed file access and is built with Go < 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1.
  2. Gain local write access: Obtain low-privileged local access to the system (e.g., via a shell account or a separate vulnerability) sufficient to create files within the application's root directory.
  3. Create a malicious symlink: Inside the os.Root-controlled directory, create a symbolic link pointing to a sensitive path outside the root, e.g., ln -s /etc/shadow /app/rootdir/escape.
  4. Trigger the vulnerable code path: Cause the application to call root.Open("escape/") — with a trailing slash — which causes Go's os.Root to follow the symlink and open the target outside the root boundary.
  5. Access out-of-bounds data: Read or interact with the file at the symlink target (e.g., /etc/shadow), achieving unauthorized file disclosure or manipulation depending on the application's subsequent operations (GitHub Advisory, Go Vuln DB).

Indicatori di compromesso

  • File System: Unexpected symbolic links within application root directories pointing to paths outside the intended sandbox (e.g., /etc/, /root/, /var/); newly created symlinks with trailing-slash-accessible names in directories writable by low-privileged users.
  • Logs: Application logs showing file open operations on paths ending with / that resolve to unexpected locations; audit logs (auditd) recording file access events outside the expected root directory by the application process.
  • Process: Go application processes accessing files in sensitive system directories (e.g., /etc/shadow, /etc/passwd) that are outside their designated working root; unexpected file read operations by container runtime processes (Podman, Buildah) on host filesystem paths.

Mitigazione e soluzioni alternative

Upgrade to Go 1.25.12, Go 1.26.5, or Go 1.27.0-rc.2 or later, which contain the fix for this vulnerability (Go Vuln DB, golang-announce). Red Hat has issued multiple errata addressing this issue across RHEL 8, 9, and 10, including RHSA-2026:37435, RHSA-2026:37436, RHSA-2026:38493, RHSA-2026:38494, RHSA-2026:38495, RHSA-2026:38878, and RHSA-2026:38995 (Red Hat Bugzilla). SUSE has also released updates (SUSE-SU-2026:2817-1, SUSE-SU-2026:3046-1). As a workaround where patching is not immediately possible, restrict filesystem permissions to prevent untrusted local users from creating symlinks within application root directories, and consider enabling the fs.protected_symlinks kernel sysctl on Linux to limit symlink following.

Reazioni della comunità

The Go security team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database entry GO-2026-4970 (golang-announce). The issue was also discussed on the oss-security mailing list and received community attention on Reddit's r/pwnhub. Microsoft's Security Response Center acknowledged the CVE in their update guide. Multiple Linux distributions including Red Hat, SUSE, openSUSE, AlmaLinux, Rocky Linux, and Debian have issued security advisories and patches, reflecting broad ecosystem impact on Go-based tooling.

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato Go Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NoJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NoJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NoJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NoJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NoJun 02, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità