CVE-2025-61732 — Code Injection in Toolchain CMD CGO

Severity

8.6HIGHNVD

EPSS

0.0%

top 99.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedFeb 5

Description

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

▶NVDgolang/go1.25.0 — 1.25.7+1

▶CVEListV5go_toolchain/cmd_cgo1.25.0-0 — 1.25.7+1

OSV

Potential code smuggling via doc comments in cmd/cgo↗2026-02-05

▶

OSV

CVE-2025-61732: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary↗2026-02-05

▶

CVEList

Potential code smuggling via doc comments in cmd/cgo↗2026-02-05

▶

GHSA

GHSA-8jvr-vh7g-f8gx: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary↗2026-02-05

▶

Red Hat

cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy↗2026-02-05

▶

Debian

CVE-2025-61732: golang-1.15 - A discrepancy between how Go and C/C++ comments were parsed allowed for code smu...↗2025

▶

Wiz

CVE-2025-61732 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶