CVE-2026-39822
Go Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-39822 is a UNIX symbolic link (symlink) following vulnerability in the Go standard library's os package that allows a local attacker to escape a restricted root directory via crafted path traversal. On Unix systems, the os.Root file access abstraction improperly resolves symlinks when the final path component is a symbolic link and the path ends with a trailing slash (e.g., root.Open("symlink/")), causing it to open the symlink target even when it points outside the intended root. The vulnerability affects Go versions before 1.25.12, versions 1.26.0 through 1.26.4, and the 1.27.0-rc.1 release candidate. It was published on July 8, 2026, and carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

Detalhes técnicos

The root cause is classified as CWE-61 (UNIX Symbolic Link Following) and CWE-59 (Improper Link Resolution Before File Access). The os.Root API, introduced to provide sandboxed file access within a designated directory tree, fails to correctly handle the edge case where a path ends with a trailing slash and the final component is a symlink — the trailing slash causes the kernel to dereference the symlink as a directory, bypassing the root boundary check. An attacker with local filesystem write access can create a symlink inside the root pointing to a sensitive path outside it, then trigger a call to root.Open("symlink/") in a vulnerable Go application to access the out-of-bounds target. The fix is tracked in Go issue #79005 and applied via code review CL 797880 (GitHub Advisory, Go Vuln DB).

Impacto

A local user with low privileges can read or open files outside the intended root directory by exploiting the symlink traversal, leading to unauthorized disclosure of sensitive files (confidentiality impact: High), potential modification of out-of-bounds files if the application performs write operations (integrity impact: High), and possible disruption of application behavior (availability impact: High). Any Go application that uses os.Root for sandboxed file access on Unix systems is potentially affected, including container runtimes, file servers, and build tools that rely on this API for isolation. Downstream packages such as Podman, Buildah, rclone, and gorush have been identified as affected consumers of the vulnerable Go standard library (GitHub Advisory, Red Hat Bugzilla).

Etapas de exploração

  1. Identify a vulnerable target: Locate a Go application running on a Unix system that uses os.Root for sandboxed file access and is built with Go < 1.25.12, 1.26.0–1.26.4, or 1.27.0-rc.1.
  2. Gain local write access: Obtain low-privileged local access to the system (e.g., via a shell account or a separate vulnerability) sufficient to create files within the application's root directory.
  3. Create a malicious symlink: Inside the os.Root-controlled directory, create a symbolic link pointing to a sensitive path outside the root, e.g., ln -s /etc/shadow /app/rootdir/escape.
  4. Trigger the vulnerable code path: Cause the application to call root.Open("escape/") — with a trailing slash — which causes Go's os.Root to follow the symlink and open the target outside the root boundary.
  5. Access out-of-bounds data: Read or interact with the file at the symlink target (e.g., /etc/shadow), achieving unauthorized file disclosure or manipulation depending on the application's subsequent operations (GitHub Advisory, Go Vuln DB).

Indicadores de compromisso

  • File System: Unexpected symbolic links within application root directories pointing to paths outside the intended sandbox (e.g., /etc/, /root/, /var/); newly created symlinks with trailing-slash-accessible names in directories writable by low-privileged users.
  • Logs: Application logs showing file open operations on paths ending with / that resolve to unexpected locations; audit logs (auditd) recording file access events outside the expected root directory by the application process.
  • Process: Go application processes accessing files in sensitive system directories (e.g., /etc/shadow, /etc/passwd) that are outside their designated working root; unexpected file read operations by container runtime processes (Podman, Buildah) on host filesystem paths.

Mitigação e soluções alternativas

Upgrade to Go 1.25.12, Go 1.26.5, or Go 1.27.0-rc.2 or later, which contain the fix for this vulnerability (Go Vuln DB, golang-announce). Red Hat has issued multiple errata addressing this issue across RHEL 8, 9, and 10, including RHSA-2026:37435, RHSA-2026:37436, RHSA-2026:38493, RHSA-2026:38494, RHSA-2026:38495, RHSA-2026:38878, and RHSA-2026:38995 (Red Hat Bugzilla). SUSE has also released updates (SUSE-SU-2026:2817-1, SUSE-SU-2026:3046-1). As a workaround where patching is not immediately possible, restrict filesystem permissions to prevent untrusted local users from creating symlinks within application root directories, and consider enabling the fs.protected_symlinks kernel sysctl on Linux to limit symlink following.

Reações da comunidade

The Go security team disclosed the vulnerability via the golang-announce mailing list and the Go vulnerability database entry GO-2026-4970 (golang-announce). The issue was also discussed on the oss-security mailing list and received community attention on Reddit's r/pwnhub. Microsoft's Security Response Center acknowledged the CVE in their update guide. Multiple Linux distributions including Red Hat, SUSE, openSUSE, AlmaLinux, Rocky Linux, and Debian have issued security advisories and patches, reflecting broad ecosystem impact on Go-based tooling.

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Go Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NãoSimJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NãoSimJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NãoSimJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NãoSimJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NãoSimJun 02, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades