CVE-2026-27140
Received Received - Intake
Code Smuggling in SWIG cgo Files Enables Build-Time RCE

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: Go Project

Description
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27140
EUVD
EUVD-2026-20002
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
golang go to 1.25.9 (exc)
golang go From 1.26.0 (inc) to 1.26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27140 is a security vulnerability in the Go programming language's build process involving the cgo toolchain and SWIG (Simplified Wrapper and Interface Generator). Specifically, if SWIG source files contain the substring "cgo" in their file names combined with specially crafted payloads, this can bypass the trust layer of the cgo compiler. This bypass allows malicious actors to smuggle code and execute arbitrary code during the build time.

The vulnerability arises because the build system trusts certain file-naming conventions, which can be exploited by attackers to run unauthorized code when the software is being compiled.

Impact Analysis

This vulnerability can lead to arbitrary code execution during the build process of Go programs that use SWIG files with the vulnerable naming pattern. An attacker who can supply or influence SWIG source files could execute unauthorized code on the build system.

Such unauthorized code execution can compromise the integrity and security of the build environment, potentially leading to the introduction of malicious code into the final software product or the compromise of the build infrastructure.

Detection Guidance

This vulnerability involves specially crafted SWIG source files containing the substring "cgo" in their file names that can lead to arbitrary code execution during the build process.

To detect this vulnerability on your system, you should check for the presence of SWIG files with names containing "cgo" in your Go projects, especially if you are using versions of cmd/go before go1.25.9 or between go1.26.0-0 and go1.26.2.

A possible command to find such files in your project directory is:

  • find . -type f -name '*cgo*' -and -name '*.swig' -or -name '*.i'

Additionally, reviewing your build logs for unexpected or suspicious code execution during the build process may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves ensuring that SWIG files do not use the vulnerable file-naming convention containing the substring "cgo".

You should upgrade your Go toolchain to a version where this vulnerability is fixed, such as versions after go1.25.9 or go1.26.2, or the planned fix in Go 1.27.

Avoid building or accepting SWIG source files with names containing "cgo" until you have applied the fix.

Review your build environment and source files for any suspicious or untrusted SWIG files and remove or rename them to avoid triggering the vulnerability.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-27140 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart