CVE-2026-27140

Опубликовано: 08 апр. 2026

Источник: redhat

CVSS3: 9

EPSS Низкий

Описание

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

A flaw was found in the Go programming language (golang) and its command-line tool (cmd/go). A remote attacker could exploit this during the build process by crafting malicious SWIG (Simplified Wrapper and Interface Generator) file names that contain "cgo" and specific payloads. This could lead to code smuggling and arbitrary code execution, bypassing trust mechanisms and allowing the attacker to run unauthorized code.

Затронутые пакеты

Платформа	Пакет	Состояние
OpenShift Service Mesh 2	openshift4/ose-docker-builder-rhel9	Not affected
OpenShift Service Mesh 2	openshift-golang-builder-container	Under investigation
OpenShift Service Mesh 2	openshift-service-mesh/istio-cni-rhel8	Not affected
OpenShift Service Mesh 2	openshift-service-mesh/istio-rhel8-operator	Not affected
OpenShift Service Mesh 2	openshift-service-mesh/pilot-rhel8	Not affected
OpenShift Service Mesh 2	openshift-service-mesh/proxyv2-rhel9	Not affected
OpenShift Service Mesh 2	openshift-service-mesh/ratelimit-rhel8	Not affected
OpenShift Service Mesh 3	openshift4/ose-docker-builder-rhel9	Not affected
OpenShift Service Mesh 3	openshift-golang-builder-container	Under investigation
OpenShift Service Mesh 3	openshift-service-mesh/istio-cni-rhel9	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-641

https://bugzilla.redhat.com/show_bug.cgi?id=2456341cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

EPSS

Процентиль: 41%

0.00532

Низкий

9 Critical

CVSS3

Связанные уязвимости

CVE-2026-27140

CVSS3: 8.8

ubuntu

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2026-27140

CVSS3: 8.8

nvd

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CVE-2026-27140

msrc

26 дней назад

Code execution vulnerability in SWIG code generation in cmd/go

CVE-2026-27140

CVSS3: 8.8

debian

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead ...

GHSA-5w89-2c2x-6x66

CVSS3: 8.8

github

3 месяца назад

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

EPSS

Процентиль: 41%

0.00532

Низкий

9 Critical

CVSS3