CVE-2026-39822
Received Received - Intake

Improper Symlink Handling in Go's os.Root

Vulnerability report for CVE-2026-39822, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Go Project

Description

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
golang go From 1.27.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-39822 is a vulnerability in the Go programming language's os package on Unix systems. It occurs when opening a file within an os.Root directory if the final component of the path is a symbolic link and the path ends with a trailing slash (/). In this case, the function improperly follows the symlink even if it points outside the intended root directory.

For example, calling root.Open("symlink/") will open the target of "symlink" even if that symlink points outside the root directory. This happens because the underlying openat system call with the O_NOFOLLOW flag still follows symlinks when the path ends with a slash, and the Go implementation did not properly sanitize the path to prevent this behavior.

Impact Analysis

This vulnerability can allow an attacker or a malicious user to escape the intended root directory restrictions by exploiting symbolic links with trailing slashes. This means that code relying on os.Root to restrict file access within a certain directory could be bypassed, potentially allowing unauthorized access to files outside the designated root.

Such unauthorized access could lead to information disclosure, unauthorized file reads or writes, and compromise of system integrity depending on the permissions and context in which the vulnerable code is used.

Detection Guidance

This vulnerability involves the Go programming language's os package improperly following symbolic links when opening files in an os.Root directory if the final path component is a symlink and the path ends with a slash (/).

To detect this vulnerability on your system, you would need to identify if your Go applications use the os.Root functions (such as OpenInRoot, Root.Create, Root.Open, Root.OpenFile, Root.OpenRoot, Root.ReadFile, and Root.WriteFile) and whether they open paths ending with a trailing slash that are symbolic links pointing outside the intended root.

There are no specific commands provided in the resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

The immediate mitigation step is to update your Go environment to a version that includes the fix for this vulnerability.

The issue has been addressed by properly sanitizing the path parameter passed to the openat system call in the os.Root functions, preventing symlink escapes when the path ends with a slash.

Ensure that your Go version is at least the security release that fixed this issue, tracked under Go issue #79005 and marked as a security release blocker for Go 1.27.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart