CVE-2026-27140
Code Smuggling in SWIG cgo Files Enables Build-Time RCE
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27140 is a security vulnerability in the Go programming language's build process involving the cgo toolchain and SWIG (Simplified Wrapper and Interface Generator). Specifically, if SWIG source files contain the substring "cgo" in their file names combined with specially crafted payloads, this can bypass the trust layer of the cgo compiler. This bypass allows malicious actors to smuggle code and execute arbitrary code during the build time.
The vulnerability arises because the build system trusts certain file-naming conventions, which can be exploited by attackers to run unauthorized code when the software is being compiled.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution during the build process of Go programs that use SWIG files with the vulnerable naming pattern. An attacker who can supply or influence SWIG source files could execute unauthorized code on the build system.
Such unauthorized code execution can compromise the integrity and security of the build environment, potentially leading to the introduction of malicious code into the final software product or the compromise of the build infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves specially crafted SWIG source files containing the substring "cgo" in their file names that can lead to arbitrary code execution during the build process.
To detect this vulnerability on your system, you should check for the presence of SWIG files with names containing "cgo" in your Go projects, especially if you are using versions of cmd/go before go1.25.9 or between go1.26.0-0 and go1.26.2.
A possible command to find such files in your project directory is:
- find . -type f -name '*cgo*' -and -name '*.swig' -or -name '*.i'
Additionally, reviewing your build logs for unexpected or suspicious code execution during the build process may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that SWIG files do not use the vulnerable file-naming convention containing the substring "cgo".
You should upgrade your Go toolchain to a version where this vulnerability is fixed, such as versions after go1.25.9 or go1.26.2, or the planned fix in Go 1.27.
Avoid building or accepting SWIG source files with names containing "cgo" until you have applied the fix.
Review your build environment and source files for any suspicious or untrusted SWIG files and remove or rename them to avoid triggering the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-27140 on compliance with common standards and regulations such as GDPR or HIPAA.