Privilege Escalation via fchmodat Symlink Race in Go <1.25.9 & 1.26.0-1.26.2
CVE-2026-32282 Published on April 8, 2026
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Vulnerability Analysis
CVE-2026-32282 is exploitable with local system access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Affected Versions
Go standard library internal/syscall/unix:- Before 1.25.9 is affected.
- Version 1.26.0-0 and below 1.26.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.