go stdlib: os ReadDir/FileInfo path escape before 1.25.8 & 1.26.1: CVE-2026-27139 March 2026

FileInfo can escape from a Root in os
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Vulnerability Analysis

CVE-2026-27139 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

NONE

Availability Impact:

NONE

Products Associated with CVE-2026-27139

Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.

go stdlib: os ReadDir/FileInfo path escape before 1.25.8 & 1.26.1
CVE-2026-27139 Published on March 6, 2026

Vulnerability Analysis

Products Associated with CVE-2026-27139

Affected Versions

go stdlib: os ReadDir/FileInfo path escape before 1.25.8 & 1.26.1CVE-2026-27139 Published on March 6, 2026

Vulnerability Analysis

Products Associated with CVE-2026-27139

Affected Versions

go stdlib: os ReadDir/FileInfo path escape before 1.25.8 & 1.26.1
CVE-2026-27139 Published on March 6, 2026