SWIG cgo filename execution in Go cmd/go <1.26.2
CVE-2026-27140 Published on April 8, 2026

Code execution vulnerability in SWIG code generation in cmd/go
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

NVD

Vulnerability Analysis

CVE-2026-27140 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Products Associated with CVE-2026-27140

Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.

GoLang Go

Affected Versions

Go toolchain cmd/go:

Before 1.25.9 is affected.
Version 1.26.0-0 and below 1.26.2 is affected.

Exploit Probability

EPSS

0.02%

Percentile

5.33%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

SWIG cgo filename execution in Go cmd/go <1.26.2CVE-2026-27140 Published on April 8, 2026

Vulnerability Analysis

Products Associated with CVE-2026-27140

Affected Versions

Exploit Probability

SWIG cgo filename execution in Go cmd/go <1.26.2
CVE-2026-27140 Published on April 8, 2026