CVE-2026-32282
Received Received - Intake
Symlink Race Vulnerability in Linux Root.Chmod Allows Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: Go Project

Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32282
EUVD
EUVD-2026-20012
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
golang go to 1.25.9 (exc)
golang go From 1.26.0 (inc) to 1.26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32282 is a vulnerability in the Go programming language's Root.Chmod function on Linux systems. It occurs when the target file of a chmod operation is replaced with a symbolic link (symlink) during the operation. Because the underlying Linux system call fchmodat ignores the AT_SYMLINK_NOFOLLOW flag, Root.Chmod may inadvertently change the permissions of the symlink's target file, even if that target lies outside the intended root directory.

Root.Chmod performs an initial check to ensure the target is not a symlink outside the root and returns an error if so. However, a race condition exists where the target can be swapped with a symlink after this check but before the chmod operation, allowing the function to operate on unintended files.

Impact Analysis

This vulnerability can allow unauthorized modification of file permissions on files outside the intended root directory. An attacker could exploit the race condition to replace a target file with a symlink pointing to a sensitive file elsewhere, causing Root.Chmod to change permissions on that sensitive file.

Such unauthorized permission changes could lead to privilege escalation, unauthorized access, or disruption of system security policies.

Detection Guidance

This vulnerability involves a race condition in the Go standard library's Root.Chmod function on Linux systems, where a target file is replaced by a symlink during a chmod operation. Detection would involve monitoring for unexpected permission changes on files outside intended root directories, especially those triggered by Go programs using vulnerable versions.

There are no specific detection commands or network/system scanning commands provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, update the Go programming language to version 1.27 or later, where the Root.Chmod function has been fixed.

The fix involves using the Linux fchmodat2 system call when available, which properly respects symlink handling, or otherwise using a workaround with /proc/self/fd to avoid following symlinks during chmod operations.

Until the update is applied, avoid running untrusted code that performs chmod operations on files that could be replaced by symlinks in a race condition.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart