CVE-2025-61732
published 2026-02-05CVE-2025-61732: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
PriorityP346high8.6CVSS 3.1
AVLACLPRNUIRSCCHIHAH
EPSS
0.47%
37.3th percentile
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.13-1 (forky) | golang-1.24 1.24.13-1 (forky) |
| go_toolchain | cmd_cgo | < 1.24.13 | 1.24.13 |
| go_toolchain | cmd_cgo | >= 1.25.0-0 < 1.25.7 | 1.25.7 |
| golang | go | < 1.24.13 | 1.24.13 |
| golang | go | >= 1.25.0 < 1.25.7 | 1.25.7 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv8.6HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cmd-cgo up to 1.24.12/1.25.6 on Go code injection (Nessus ID 298276 / WID-SEC-2026-0345)
vuldb·2026-07-01·CVSS 8.6
CVE-2025-61732 [HIGH] cmd-cgo up to 1.24.12/1.25.6 on Go code injection (Nessus ID 298276 / WID-SEC-2026-0345)
A vulnerability classified as critical has been found in cmd-cgo up to 1.24.12/1.25.6 on Go. This issue affects some unknown processing. Performing a manipulation results in code injection.
This vulnerability is cataloged as CVE-2025-61732. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
OSV
Potential code smuggling via doc comments in cmd/cgo
osv·2026-02-05
CVE-2025-61732 Potential code smuggling via doc comments in cmd/cgo
Potential code smuggling via doc comments in cmd/cgo
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
OSV
CVE-2025-61732: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary
osv·2026-02-05·CVSS 8.6
CVE-2025-61732 [HIGH] CVE-2025-61732: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
GHSA
GHSA-8jvr-vh7g-f8gx: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary
ghsa_unreviewed·2026-02-05
CVE-2025-61732 [HIGH] CWE-94 GHSA-8jvr-vh7g-f8gx: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Red Hat
cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy
vendor_redhat·2026-02-05·CVSS 8.6
CVE-2025-61732 [HIGH] cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy
cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
A flaw was found in Go's 'cgo tool'. This vulnerability arises from a discrepancy in how Go and C/C++ comments are parsed, which allows for malicious code to be hidden within comments and then "smuggled" into the compiled `cgo` binary. An attacker could exploit this to embed and execute arbitrary code, potentially leading to significant system compromise.
Statement: This is an Important vulnerability in the `cmd/cgo` component of the Go toolchain. A parsing discrepancy between Go and C/C++ comments could allow for code smuggling into the resulting `cgo` binary. This primarily affects systems where untrust
Debian
CVE-2025-61732: golang-1.15 - A discrepancy between how Go and C/C++ comments were parsed allowed for code smu...
vendor_debian·2025·CVSS 8.6
CVE-2025-61732 [HIGH] CVE-2025-61732: golang-1.15 - A discrepancy between how Go and C/C++ comments were parsed allowed for code smu...
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-61732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-61732 [HIGH] CVE-2025-61732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61732 :
cAdvisor vulnerability analysis and mitigation
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Source : NVD
## 8.6
Score
Published February 5, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
cAdvisor
Terraform Community
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mongodb-kubernetes-operator-fips
nats-top
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 16, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 18, 2026
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22
Wiz
CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47911 :
Terraform Community vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cri-o
kubernetes
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: M
Wiz
CVE-2025-66580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-66580 [HIGH] CVE-2025-66580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66580 :
Dive vulnerability analysis and mitigation
javascript:
Source : NVD
## 9.6
Score
Published December 19, 2025
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Dive
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.3
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
dive
Sources
NVD
Homebrew Severity CRITICAL Has Fix Added at: Jan 04, 2026
Nix Severity CRITICAL Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Dive vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-11065 [MEDIUM] CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11065 :
Terraform Community vulnerability analysis and mitigation
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Source : NVD
## 5.3
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-11.2
kyverno-fips-1.12
Sources
NVD
Wiz
CVE-2026-23523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-23523 [HIGH] CVE-2026-23523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23523 :
Dive vulnerability analysis and mitigation
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Source : NVD
## 8.8
Score
Published January 16, 2026
Severity HIGH
CNA Score 9.6
Affected Technologies
Dive
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dive
Sources
NVD
Homebrew Severity HIGH Has Fix
Bugzilla
CVE-2025-61732 cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy
bugzilla·2026-02-05·CVSS 8.6
CVE-2025-61732 [HIGH] CVE-2025-61732 cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy
CVE-2025-61732 cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:2706 https://access.redhat.com/errata/RHSA-2026:2706
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:2708 https://access.redhat.com/errata/RHSA-2026:2708
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:2709 https://access.redhat.com/errata/RHSA-2026:2709
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10.0 Extended Update Sup
https://go.dev/cl/734220https://go.dev/issue/76697https://groups.google.com/g/golang-announce/c/K09ubi9FQFkhttps://pkg.go.dev/vuln/GO-2026-4433https://access.redhat.com/errata/RHSA-2026:10104https://access.redhat.com/errata/RHSA-2026:12282https://access.redhat.com/errata/RHSA-2026:14100https://access.redhat.com/errata/RHSA-2026:14774https://access.redhat.com/errata/RHSA-2026:15091https://access.redhat.com/errata/RHSA-2026:21691https://access.redhat.com/errata/RHSA-2026:2706https://access.redhat.com/errata/RHSA-2026:2708https://access.redhat.com/errata/RHSA-2026:2709https://access.redhat.com/errata/RHSA-2026:2844https://access.redhat.com/errata/RHSA-2026:3192https://access.redhat.com/errata/RHSA-2026:3193https://access.redhat.com/errata/RHSA-2026:3468https://access.redhat.com/errata/RHSA-2026:3469https://access.redhat.com/errata/RHSA-2026:3470https://access.redhat.com/errata/RHSA-2026:3471https://access.redhat.com/errata/RHSA-2026:3472https://access.redhat.com/errata/RHSA-2026:3473https://access.redhat.com/errata/RHSA-2026:3489https://access.redhat.com/errata/RHSA-2026:3556https://access.redhat.com/errata/RHSA-2026:3559https://access.redhat.com/errata/RHSA-2026:3855https://access.redhat.com/errata/RHSA-2026:4434https://access.redhat.com/errata/RHSA-2026:5133https://access.redhat.com/errata/RHSA-2026:5907https://access.redhat.com/errata/RHSA-2026:5948https://access.redhat.com/errata/RHSA-2026:5950https://access.redhat.com/errata/RHSA-2026:5952https://access.redhat.com/errata/RHSA-2026:7291https://access.redhat.com/errata/RHSA-2026:7385https://access.redhat.com/errata/RHSA-2026:8448https://access.redhat.com/security/cve/CVE-2025-61732https://bugzilla.redhat.com/show_bug.cgi?id=2437016https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61732.json
2026-02-05
Published