{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27140", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:57.893Z", "dateUpdated": "2026-04-09T03:55:58.107Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.893Z"}, "title": "Code execution vulnerability in SWIG code generation in cmd/go", "descriptions": [{"lang": "en", "value": "SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-501: Trust Boundary Violation"}]}], "references": [{"url": "https://go.dev/cl/763768"}, {"url": "https://go.dev/issue/78335"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4871"}], "credits": [{"lang": "en", "value": "Juho Fors\u00e9n of Mattermost"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-27140"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T03:55:58.107Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass."}], "id": "CVE-2026-27140", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:02.887", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/763768"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78335"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4871"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "cmd/go", "source": "cna", "vendor": "Go toolchain"}, "product": "cmd/go", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-08T02:22:13.474165+00:00", "value": {"mitigation_remediation": ["Update to the latest Go toolchain release that includes the fix for the SWIG code execution flaw.", "Review all SWIG module files in the repository; rename any that contain the string 'cgo' if they are not required, or remove them from the build process.", "Run the Go compiler in a controlled, isolated build environment and monitor for unexpected file system changes during compilation."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution at build time"}, "threat_synthesis": {"affected_systems": "All installations of the Go toolchain that use cmd/go and process SWIG module files could be impacted. Specific affected Go versions are not disclosed, but until a patch is applied any current or older Go release that remains unpatched is potentially vulnerable.", "description_and_impact": "The vulnerability arises when SWIG files contain the substring 'cgo' and include crafted payloads, allowing attackers to smuggle code into the Go build process. During compilation, the Go toolchain mistakenly accepts the malicious input and executes arbitrary code. This results in a complete compromise of the build environment and any binaries produced, effectively giving the attacker full control over the system that runs the build.", "risk_and_exploitability": "Exploitation requires the attacker to supply a SWIG file with a name containing 'cgo' and malicious payloads during a build. The attacker must be able to influence the source repository or build scripts. While the CVSS score is not listed and no EPSS value is available, the absence from the Known Exploited Vulnerabilities catalog suggests low current exploitation. Nevertheless, the severity of arbitrary code execution at build time makes this a high\u2011priority issue."}}}}, "created": "2026-04-08T19:44:17.375542+00:00", "updated": "2026-04-09T08:22:27.689422+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/go"], "weaknesses": ["CWE-94"]}