Bug 2456341 (CVE-2026-27140)
| Summary: | CVE-2026-27140 cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | caswilli, crizzo, fdeutsch, kaycoth, oramraz, rhel-process-autobot, smullick, stirabos, thason, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Go programming language (golang) and its command-line tool (cmd/go). A remote attacker could exploit this during the build process by crafting malicious SWIG (Simplified Wrapper and Interface Generator) file names that contain "cgo" and specific payloads. This could lead to code smuggling and arbitrary code execution, bypassing trust mechanisms and allowing the attacker to run unauthorized code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2456854, 2456855, 2456856 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-08 02:01:49 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:10217 https://access.redhat.com/errata/RHSA-2026:10217 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:10219 https://access.redhat.com/errata/RHSA-2026:10219 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:10704 https://access.redhat.com/errata/RHSA-2026:10704 This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:16024 https://access.redhat.com/errata/RHSA-2026:16024 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:16021 https://access.redhat.com/errata/RHSA-2026:16021 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:16497 https://access.redhat.com/errata/RHSA-2026:16497 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:16494 https://access.redhat.com/errata/RHSA-2026:16494 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:16498 https://access.redhat.com/errata/RHSA-2026:16498 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:16697 https://access.redhat.com/errata/RHSA-2026:16697 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:16698 https://access.redhat.com/errata/RHSA-2026:16698 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:16694 https://access.redhat.com/errata/RHSA-2026:16694 |