Go toolchain cmd/go 1.25.10, 1.26.3: temp file overwrite: CVE-2026-39819 May 2026

Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

Vulnerability Analysis

CVE-2026-39819 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

HIGH

Availability Impact:

NONE

Products Associated with CVE-2026-39819

Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.

Go toolchain cmd/go 1.25.10, 1.26.3: temp file overwrite
CVE-2026-39819 Published on May 7, 2026

Vulnerability Analysis

Products Associated with CVE-2026-39819

Affected Versions

Go toolchain cmd/go 1.25.10, 1.26.3: temp file overwriteCVE-2026-39819 Published on May 7, 2026

Vulnerability Analysis

Products Associated with CVE-2026-39819

Affected Versions

Go toolchain cmd/go 1.25.10, 1.26.3: temp file overwrite
CVE-2026-39819 Published on May 7, 2026