CVE-2026-32282
Symlink Race Vulnerability in Linux Root.Chmod Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32282 is a vulnerability in the Go programming language's Root.Chmod function on Linux systems. It occurs when the target file of a chmod operation is replaced with a symbolic link (symlink) during the operation. Because the underlying Linux system call fchmodat ignores the AT_SYMLINK_NOFOLLOW flag, Root.Chmod may inadvertently change the permissions of the symlink's target file, even if that target lies outside the intended root directory.
Root.Chmod performs an initial check to ensure the target is not a symlink outside the root and returns an error if so. However, a race condition exists where the target can be swapped with a symlink after this check but before the chmod operation, allowing the function to operate on unintended files.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized modification of file permissions on files outside the intended root directory. An attacker could exploit the race condition to replace a target file with a symlink pointing to a sensitive file elsewhere, causing Root.Chmod to change permissions on that sensitive file.
Such unauthorized permission changes could lead to privilege escalation, unauthorized access, or disruption of system security policies.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a race condition in the Go standard library's Root.Chmod function on Linux systems, where a target file is replaced by a symlink during a chmod operation. Detection would involve monitoring for unexpected permission changes on files outside intended root directories, especially those triggered by Go programs using vulnerable versions.
There are no specific detection commands or network/system scanning commands provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Go programming language to version 1.27 or later, where the Root.Chmod function has been fixed.
The fix involves using the Linux fchmodat2 system call when available, which properly respects symlink handling, or otherwise using a workaround with /proc/self/fd to avoid following symlinks during chmod operations.
Until the update is applied, avoid running untrusted code that performs chmod operations on files that could be replaced by symlinks in a race condition.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.