CVE-2026-39822
cAdvisor 脆弱性の分析と軽減

概要

CVE-2026-39822 is a Unix symbolic link (symlink) following vulnerability in the Go standard library's os.Root API that allows local attackers to bypass root directory restrictions and access files outside the intended root. On Unix systems, when a path's final component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), the os.Root implementation improperly follows the symlink to locations outside the designated root directory. The vulnerability affects Go standard library versions prior to 1.25.12, 1.26.0–1.26.4, and 1.27.0-rc.1. It was published on July 8, 2026, with a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, OSV).

技術的な詳細

The root cause is classified as CWE-61 (UNIX Symbolic Link Following), specifically an improper link resolution before file access in the os.Root type introduced in Go's standard library. When os.Root.Open() (or similar methods) receives a path whose final component is a symlink and the path string ends with a /, the implementation resolves the symlink without enforcing that the resolved target remains within the root directory boundary. This is a path traversal variant where the trailing slash causes the runtime to treat the symlink as a directory entry and follow it, bypassing the containment logic. Exploitation requires the attacker to have the ability to create or control symbolic links within a directory accessible to the vulnerable application (GitHub Advisory, Go Issue, Go CL).

影響

A local attacker who can create or control symbolic links within a directory accessible to a Go application using os.Root can read, write, or otherwise access files outside the intended root directory. This can lead to unauthorized disclosure of sensitive files (confidentiality impact: High), modification of files outside the sandbox (integrity impact: High), and potentially disruption of application or system functionality (availability impact: High). Applications that rely on os.Root for sandboxing or chroot-like containment — such as file servers, container runtimes, or multi-tenant services — are most at risk (GitHub Advisory, OSV).

エクスプロイテーションのステップ

  1. Reconnaissance: Identify a target application built with a vulnerable version of the Go standard library (< 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1) that uses os.Root to sandbox file access.
  2. Gain local access: Obtain local user access to the system, sufficient to create files or symbolic links within a directory that the target application's root encompasses.
  3. Create a malicious symlink: Inside the os.Root-controlled directory, create a symbolic link pointing to a sensitive target outside the root, e.g., ln -s /etc/passwd /app/root/symlink.
  4. Trigger the vulnerable code path: Cause the application to call root.Open("symlink/") (with a trailing slash) — for example, by submitting a crafted filename or path to a file-serving endpoint.
  5. Access out-of-root content: The os.Root implementation follows the symlink due to the trailing slash, opening the target outside the root (e.g., /etc/passwd), allowing the attacker to read or write the file depending on application logic (GitHub Advisory, Go Issue).

妥協の兆候

  • File System: Unexpected symbolic links within application root directories pointing to sensitive system paths (e.g., /etc/, /var/, /home/) — audit with find /app/root -type l -ls.
  • Logs: Application logs showing file access to paths outside the expected root directory; OS audit logs (e.g., auditd) recording file opens of sensitive files by the application process.
  • Process: Application processes accessing files such as /etc/passwd, /etc/shadow, or private key files that are outside their designated working directory, observable via strace, lsof, or auditd syscall monitoring.

軽減策と回避策

Upgrade to Go 1.25.12, 1.26.5, or 1.27.0-rc.2 (or later), which contain the fix for this vulnerability (Go CL, OSV). As a workaround, restrict the ability of untrusted users to create symbolic links in directories accessible to applications using os.Root (e.g., via filesystem permissions or mount options such as nosymfollow). Additionally, application-level validation of resolved paths before file operations can serve as a defense-in-depth measure. Rebuilding and redeploying Go applications with the patched toolchain is the recommended long-term remediation (GitHub Advisory).

コミュニティの反応

The Go team disclosed the vulnerability via the golang-announce mailing list on July 8, 2026, alongside the release of patched versions (golang-announce). The issue was also reported to the oss-security mailing list (oss-sec). Tenable added detection via Nessus plugin 325627 shortly after disclosure. No significant broader media coverage or notable researcher commentary beyond standard vulnerability tracking has been observed at this time.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 cAdvisor 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-39822HIGH7.8
  • cAdvisor logocAdvisor
  • netdata-fips-2.10
いいえはいJul 08, 2026
CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • cpe:2.3:a:docker:engine
いいえはいJun 12, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • datadog-agent-7.77
いいえはいJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • cAdvisor logocAdvisor
  • crossplane-provider-gcp-beta-compute
いいえはいJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
いいえはいJul 01, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者