CVE-2026-27140

Опубликовано: 08 апр. 2026

Источник: debian

EPSS Низкий

Описание

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
golang-1.26	fixed	1.26.2-1		package
golang-1.25	fixed	1.25.9-1		package
golang-1.24	removed			package
golang-1.24	no-dsa		trixie	package
golang-1.19	removed			package
golang-1.19	no-dsa		bookworm	package
golang-1.15	removed			package
golang-1.15	postponed		bullseye	package

Примечания

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://github.com/golang/go/issues/78335
Fixed by: https://github.com/golang/go/commit/096f21b1c50fe62bc54c1fb1ede60fca63239123 (go1.26.2)
Fixed by: https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa (go1.25.9)

EPSS

Процентиль: 41%

0.00532

Низкий

Связанные уязвимости

CVE-2026-27140

CVSS3: 8.8

ubuntu

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2026-27140

CVSS3: 9

redhat

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2026-27140

CVSS3: 8.8

nvd

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2026-27140

msrc

26 дней назад

Code execution vulnerability in SWIG code generation in cmd/go

GHSA-5w89-2c2x-6x66

CVSS3: 8.8

github

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

EPSS

Процентиль: 41%

0.00532

Низкий