Go cgo Comment Parsing Discrepancy Enables Code Smuggling
CVE-2025-61732 Published on February 5, 2026

Potential code smuggling via doc comments in cmd/cgo
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

NVD

Vulnerability Analysis

CVE-2025-61732 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2025-61732 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2025-61732

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-61732 are published in these products:

 
 
 
 
 
 
 
 
 
 
 
 
 
 

Affected Versions

Go toolchain cmd/cgo: Red Hat Enterprise Linux AppStream EUS (v. 10.0): Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream (v. 8): Red Hat Enterprise Linux AppStream AUS (v. 8.2): Red Hat Enterprise Linux AppStream AUS (v.8.4): Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4): Red Hat Enterprise Linux AppStream AUS (v.8.6): Red Hat Enterprise Linux AppStream E4S (v.8.6): Red Hat Enterprise Linux AppStream TUS (v.8.6): Red Hat Enterprise Linux AppStream E4S (v.8.8): Red Hat Enterprise Linux AppStream TUS (v.8.8): Red Hat Enterprise Linux AppStream E4S (v.9.0): Red Hat Enterprise Linux AppStream E4S (v.9.2): Red Hat Enterprise Linux AppStream EUS (v.9.4): Red Hat Enterprise Linux AppStream EUS (v.9.6): Red Hat Enterprise Linux AppStream (v. 9): Red Hat Hardened Images: Red Hat OpenShift Container Platform 4.12: Red Hat OpenShift Container Platform 4.13: Red Hat OpenShift Container Platform 4.14: Red Hat OpenShift Container Platform 4.15: Red Hat OpenShift Container Platform 4.16: Red Hat OpenShift Container Platform 4.17: Red Hat OpenShift Container Platform 4.18: Red Hat OpenShift Container Platform 4.19: Red Hat OpenShift Container Platform 4.20: Red Hat OpenShift Dev Spaces (RHOSDS) 3.26: Red Hat OpenShift Service Mesh 2.6: Red Hat OpenShift Service Mesh 3.1: Red Hat OpenShift Service Mesh 3.2: Red Hat OpenShift Service Mesh 3: Red Hat Enterprise Linux 9: Red Hat OpenShift Virtualization 4:

Exploit Probability

EPSS
0.47%
Percentile
37.50%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.