CVE-2026-27139 — Path Traversal in Standard Library OS

CWE-22 — Path Traversal9 documents8 sources

Severity

2.5LOWNVD

EPSS

0.0%

top 99.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library OS

Timeline

PublishedMar 6

Latest updateMar 10

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.0 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5go_standard_library/os1.26.0-0 — 1.26.1+1

🔴Vulnerability Details

GHSA

GHSA-rv83-g57w-fr8j: On Unix platforms, when listing the contents of a directory using File↗2026-03-07

▶

CVEList

FileInfo can escape from a Root in os↗2026-03-06

▶

OSV

CVE-2026-27139: On Unix platforms, when listing the contents of a directory using File↗2026-03-06

▶

OSV

FileInfo can escape from a Root in os↗2026-03-06

▶

📋Vendor Advisories

Microsoft

FileInfo can escape from a Root in os↗2026-03-10

▶

Red Hat

os: FileInfo can escape from a Root in golang os module↗2026-03-06

▶

Debian

CVE-2026-27139: golang-1.15 - On Unix platforms, when listing the contents of a directory using File.ReadDir o...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27139 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶