CVE-2026-27140

Published: Apr 8, 2026Modified: Apr 16, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Affected (2)

Products: Golang: Go

Golang

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.25.9
Golang Go	From 1.26.0 to 1.26.2

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://go.dev/cl/763768

Source: security@golang.org

Release Notes

https://go.dev/issue/78335

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Source: security@golang.org

Release NotesMailing List

https://pkg.go.dev/vuln/GO-2026-4871

Source: security@golang.org

Vendor Advisory

Timeline

No history available yet.