{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27140", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:57.893Z", "dateUpdated": "2026-04-13T13:22:34.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.893Z"}, "title": "Code execution vulnerability in SWIG code generation in cmd/go", "descriptions": [{"lang": "en", "value": "SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-501: Trust Boundary Violation"}]}], "references": [{"url": "https://go.dev/cl/763768"}, {"url": "https://go.dev/issue/78335"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4871"}], "credits": [{"lang": "en", "value": "Juho Fors\u00e9n of Mattermost"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T03:55:58.901718Z", "id": "CVE-2026-27140", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:22:34.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27140", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T03:55:58.901718Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:22:00.796Z"}}], "cna": {"title": "Code execution vulnerability in SWIG code generation in cmd/go", "credits": [{"lang": "en", "value": "Juho Fors\u00e9n of Mattermost"}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.9", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.2", "versionType": "semver"}], "packageName": "cmd/go", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/cl/763768"}, {"url": "https://go.dev/issue/78335"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4871"}], "descriptions": [{"lang": "en", "value": "SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-501: Trust Boundary Violation"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27140", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:22:34.117Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-08T01:06:57.893Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C9C072-9817-402D-877F-F83584B07017", "versionEndExcluding": "1.25.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "39FE9BAF-55E9-43AA-B14E-239E7EF1D65D", "versionEndExcluding": "1.26.2", "versionStartIncluding": "1.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."}], "id": "CVE-2026-27140", "lastModified": "2026-04-16T19:26:59.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T02:16:02.887", "references": [{"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://go.dev/cl/763768"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/78335"}, {"source": "security@golang.org", "tags": ["Release Notes", "Mailing List"], "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4871"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names", "id": "2456341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456341"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-641", "details": ["A flaw was found in the Go programming language (golang) and its command-line tool (cmd/go). A remote attacker could exploit this during the build process by crafting malicious SWIG (Simplified Wrapper and Interface Generator) file names that contain \"cgo\" and specific payloads. This could lead to code smuggling and arbitrary code execution, bypassing trust mechanisms and allowing the attacker to run unauthorized code."], "name": "CVE-2026-27140", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift4/ose-docker-builder-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift4/ose-docker-builder-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "golang1.25", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "golang1.26", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-docker-builder-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift4/ose-docker-builder-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27140\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27140\nhttps://go.dev/cl/763768\nhttps://go.dev/issue/78335\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4871"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "cmd/go", "source": "cna", "vendor": "Go toolchain"}, "product": "cmd/go", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-17T09:51:39.133867+00:00", "value": {"mitigation_remediation": ["Upgrade the Go toolchain to the latest stable release that contains the SWIG code generation fix.", "If an immediate upgrade is not possible, avoid using SWIG files whose names contain the substring \"cgo\" or rename them to a neutral name before compilation.", "Restrict who can provide source to the build process and run builds in a hardened, isolated environment with the least privilege necessary."], "summary": {"action": "Immediate Update", "impact": "Arbitrary code execution during Go build"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Go toolchain component cmd/go used by developers and build systems. No specific version information is supplied, so all releases of the Go toolchain that include the vulnerable SWIG handling path are potentially affected. This includes any environment where Go is used to compile projects that incorporate SWIG modules.", "description_and_impact": "SWIG file names that contain the substring 'cgo' and specially crafted payloads can be processed by the Go toolchain during SWIG code generation. This bypasses expected trust checks and allows the embedded code to be compiled and executed as part of the build. As a result, an attacker who can influence the contents or names of SWIG files can inject malicious code that runs with the privileges of the build process, compromising confidentiality, integrity, or availability of the built binaries. The weakness is a code\u2011smuggling scenario, related to CWE\u2011641 and CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high\u2011severity attack that is likely exploitable locally during a build. The EPSS score of less than 1% suggests that a large number of real-world exploits are not publicly available, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, an attacker who gains the ability to supply or modify SWIG files can execute arbitrary code at build time, so the risk is significant if the build environment is compromised or if untrusted code is compiled."}}}}, "created": "2026-04-08T19:44:17.375542+00:00", "updated": "2026-04-17T10:00:03.568088+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/go"]}