
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-39822 is a Unix symbolic link (symlink) following vulnerability in the Go standard library's os.Root API that allows local attackers to bypass root directory restrictions and access files outside the intended root. On Unix systems, when a path's final component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), the os.Root implementation improperly follows the symlink to locations outside the designated root directory. The vulnerability affects Go standard library versions prior to 1.25.12, 1.26.0–1.26.4, and 1.27.0-rc.1. It was published on July 8, 2026, with a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, OSV).
The root cause is classified as CWE-61 (UNIX Symbolic Link Following), specifically an improper link resolution before file access in the os.Root type introduced in Go's standard library. When os.Root.Open() (or similar methods) receives a path whose final component is a symlink and the path string ends with a /, the implementation resolves the symlink without enforcing that the resolved target remains within the root directory boundary. This is a path traversal variant where the trailing slash causes the runtime to treat the symlink as a directory entry and follow it, bypassing the containment logic. Exploitation requires the attacker to have the ability to create or control symbolic links within a directory accessible to the vulnerable application (GitHub Advisory, Go Issue, Go CL).
A local attacker who can create or control symbolic links within a directory accessible to a Go application using os.Root can read, write, or otherwise access files outside the intended root directory. This can lead to unauthorized disclosure of sensitive files (confidentiality impact: High), modification of files outside the sandbox (integrity impact: High), and potentially disruption of application or system functionality (availability impact: High). Applications that rely on os.Root for sandboxing or chroot-like containment — such as file servers, container runtimes, or multi-tenant services — are most at risk (GitHub Advisory, OSV).
os.Root to sandbox file access.os.Root-controlled directory, create a symbolic link pointing to a sensitive target outside the root, e.g., ln -s /etc/passwd /app/root/symlink.root.Open("symlink/") (with a trailing slash) — for example, by submitting a crafted filename or path to a file-serving endpoint.os.Root implementation follows the symlink due to the trailing slash, opening the target outside the root (e.g., /etc/passwd), allowing the attacker to read or write the file depending on application logic (GitHub Advisory, Go Issue)./etc/, /var/, /home/) — audit with find /app/root -type l -ls.auditd) recording file opens of sensitive files by the application process./etc/passwd, /etc/shadow, or private key files that are outside their designated working directory, observable via strace, lsof, or auditd syscall monitoring.Upgrade to Go 1.25.12, 1.26.5, or 1.27.0-rc.2 (or later), which contain the fix for this vulnerability (Go CL, OSV). As a workaround, restrict the ability of untrusted users to create symbolic links in directories accessible to applications using os.Root (e.g., via filesystem permissions or mount options such as nosymfollow). Additionally, application-level validation of resolved paths before file operations can serve as a defense-in-depth measure. Rebuilding and redeploying Go applications with the patched toolchain is the recommended long-term remediation (GitHub Advisory).
The Go team disclosed the vulnerability via the golang-announce mailing list on July 8, 2026, alongside the release of patched versions (golang-announce). The issue was also reported to the oss-security mailing list (oss-sec). Tenable added detection via Nessus plugin 325627 shortly after disclosure. No significant broader media coverage or notable researcher commentary beyond standard vulnerability tracking has been observed at this time.
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"