CVE-2026-39819
go bug Command Symlink Race Condition in Go
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.10 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
| golang | go | 1.27.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-39819 affects the "go bug" command in the Go programming language. This command writes to two files with predictable names in the system's temporary directory, such as "/tmp".
An attacker who has access to this temporary directory can create a symbolic link (symlink) using one of these predictable filenames. When the "go bug" command runs, it will overwrite the target of the symlink instead of the intended file, potentially causing unintended file modifications.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with access to the system's temporary directory to overwrite arbitrary files by exploiting the predictable filenames used by the "go bug" command.
Such overwriting could lead to data corruption, unauthorized modification of files, or potentially executing malicious code if critical files are targeted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the "go bug" command writing to two files with predictable names in the system temporary directory (e.g., "/tmp"). Detection involves checking for the presence of these predictable files or symbolic links in the temporary directory that could be exploited.
You can detect potential exploitation by listing symbolic links in the temporary directory that match the predictable filenames used by the "go bug" command.
- Run the command: ls -l /tmp | grep <predictable-filename>
- Check for symbolic links specifically: find /tmp -type l -ls
- Monitor the creation or modification of files with predictable names in /tmp around the time "go bug" is run.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid running vulnerable versions of the "go bug" command that write to predictable filenames in the temporary directory.
Update your Go installation to a fixed version where the issue is resolved, such as Go 1.27 or later, which uses secure temporary directories created with os.MkdirTemp.
Restrict access permissions to the system temporary directory (/tmp) to prevent attackers from creating symbolic links with predictable names.
As a temporary workaround, manually check and remove any suspicious symbolic links in the temporary directory before running the "go bug" command.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in the "go bug" command affects compliance with common standards and regulations such as GDPR or HIPAA.