HIGHCVE-2026-27140Published 2026-04-08Modified 2026-04-13CNA Go

CVE-2026-27140: Code execution vulnerability in SWIG code generation in cmd/go

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 1.25.9
Affected Products: 1

Fix available

1.25.91.26.2

Affected packages

Go toolchain / cmd/go
< 1.25.9 (from 0) · < 1.26.2 (from 1.26.0-0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

go.dev
go.dev
groups.google.com
pkg.go.dev

Metrics

Fix available