CVE-2026-39819
Undergoing Analysis Undergoing Analysis - In Progress
go bug Command Symlink Race Condition in Go

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: Go Project

Description
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-39819
EUVD
EUVD-2026-28422
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
golang go to 1.25.10 (exc)
golang go From 1.26.0 (inc) to 1.26.3 (exc)
golang go 1.27.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-39819 affects the "go bug" command in the Go programming language. This command writes to two files with predictable names in the system's temporary directory, such as "/tmp".

An attacker who has access to this temporary directory can create a symbolic link (symlink) using one of these predictable filenames. When the "go bug" command runs, it will overwrite the target of the symlink instead of the intended file, potentially causing unintended file modifications.

Impact Analysis

This vulnerability can allow an attacker with access to the system's temporary directory to overwrite arbitrary files by exploiting the predictable filenames used by the "go bug" command.

Such overwriting could lead to data corruption, unauthorized modification of files, or potentially executing malicious code if critical files are targeted.

Detection Guidance

This vulnerability involves the "go bug" command writing to two files with predictable names in the system temporary directory (e.g., "/tmp"). Detection involves checking for the presence of these predictable files or symbolic links in the temporary directory that could be exploited.

You can detect potential exploitation by listing symbolic links in the temporary directory that match the predictable filenames used by the "go bug" command.

  • Run the command: ls -l /tmp | grep <predictable-filename>
  • Check for symbolic links specifically: find /tmp -type l -ls
  • Monitor the creation or modification of files with predictable names in /tmp around the time "go bug" is run.
Mitigation Strategies

To mitigate this vulnerability, avoid running vulnerable versions of the "go bug" command that write to predictable filenames in the temporary directory.

Update your Go installation to a fixed version where the issue is resolved, such as Go 1.27 or later, which uses secure temporary directories created with os.MkdirTemp.

Restrict access permissions to the system temporary directory (/tmp) to prevent attackers from creating symbolic links with predictable names.

As a temporary workaround, manually check and remove any suspicious symbolic links in the temporary directory before running the "go bug" command.

Compliance Impact

The provided information does not specify how the vulnerability in the "go bug" command affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39819. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart