CVE-2026-27140

Summary

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Affected Software

VendorProductVersion RangeStatus
Go toolchaincmd/go0 < 1.25.9affected
Go toolchaincmd/go1.26.0-0 < 1.26.2affected

Weaknesses

  • CWE-501: Trust Boundary Violation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

Additional References

References