CVE-2026-39817
go tool pack Command Injection Vulnerability
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows writing files to arbitrary locations on the filesystem when extracting a malicious archive using the "go tool pack" subcommand. This unauthorized file write capability could potentially lead to unauthorized data access or modification.
Such unauthorized file system access may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access. If exploited, this vulnerability could lead to data breaches or unauthorized data manipulation, thereby violating these compliance requirements.
Can you explain this vulnerability to me?
The vulnerability exists in the "go tool pack" subcommand of the Go programming language, which is typically used internally by the compiler. This subcommand does not properly sanitize output filenames when extracting archive files.
As a result, if a malicious archive file is processed, it can write files to arbitrary locations on the filesystem, potentially overwriting or creating files outside the intended directory.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write files to arbitrary locations on your filesystem by crafting a malicious archive file and having it extracted using the vulnerable "go tool pack" subcommand.
Such unauthorized file writes could lead to overwriting important files, placing malicious executables or scripts, or otherwise compromising the integrity and security of your system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the "go tool pack" subcommand extracting malicious archive files that write files to arbitrary locations on the filesystem due to unsanitized output filenames.
To detect exploitation attempts or presence of this vulnerability on your system, you can monitor for unexpected file writes or suspicious archive extraction activities involving the "go tool pack" command.
Suggested commands include:
- Use file integrity monitoring tools (e.g., tripwire, AIDE) to detect unexpected file creations or modifications.
- Check recent file creation timestamps and locations for unusual files outside expected directories, for example using: find / -type f -newermt 'YYYY-MM-DD' -ls
- Audit command history or process execution logs for usage of "go tool pack" extracting archives.
- Use system auditing tools (e.g., auditd on Linux) to monitor filesystem writes by the "go" binary.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the Go toolchain to a fixed version where the vulnerability is addressed.
- Upgrade to Go version 1.27 or later, where the fix preventing extraction of files with directory components in their names has been implemented.
- Avoid extracting untrusted or malicious archive files using the "go tool pack" subcommand.
- Implement filesystem permissions and sandboxing to limit the locations where the "go tool pack" can write files.
- Monitor and audit usage of the "go tool pack" command to detect suspicious activity.