CVE-2026-27140
published 2026-04-08CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.66%
46.9th percentile
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.19 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.24 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.25 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.26 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| go_toolchain | cmd_go | < 1.25.9 | 1.25.9 |
| go_toolchain | cmd_go | >= 1.26.0-0 < 1.26.2 | 1.26.2 |
| golang | go | < 1.25.9 | 1.25.9 |
| golang | go | >= 1.26.0 < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cmd-go up to 1.25.8/1.26.1 on Go SWIG File Parser trust boundary violation (Nessus ID 305651 / WID-SEC-2026-1006)
vuldb·2026-04-29·CVSS 8.8
CVE-2026-27140 [HIGH] cmd-go up to 1.25.8/1.26.1 on Go SWIG File Parser trust boundary violation (Nessus ID 305651 / WID-SEC-2026-1006)
A vulnerability, which was classified as critical, has been found in cmd-go up to 1.25.8/1.26.1 on Go. This vulnerability affects unknown code of the component SWIG File Parser. Performing a manipulation results in trust boundary violation.
This vulnerability is reported as CVE-2026-27140. The attack is possible to be carried out remotely. No exploit exists.
It is advisable to upgrade the affected component.
OSV
CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer
osv·2026-04-08·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
GHSA
GHSA-5w89-2c2x-6x66: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer
ghsa_unreviewed·2026-04-08
CVE-2026-27140 GHSA-5w89-2c2x-6x66: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
OSV
Code execution vulnerability in SWIG code generation in cmd/go
osv·2026-04-07
CVE-2026-27140 Code execution vulnerability in SWIG code generation in cmd/go
Code execution vulnerability in SWIG code generation in cmd/go
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Red Hat
cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names
vendor_redhat·2026-04-08·CVSS 8.8
CVE-2026-27140 [HIGH] CWE-641 cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names
cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names
A flaw was found in the Go programming language (golang) and its command-line tool (cmd/go). A remote attacker could exploit this during the build process by crafting malicious SWIG (Simplified Wrapper and Interface Generator) file names that contain "cgo" and specific payloads. This could lead to code smuggling and arbitrary code execution, bypassing trust mechanisms and allowing the attacker to run unauthorized code.
Package: openshift4/ose-docker-builder-rhel9 (OpenShift Service Mesh 2) - Affected
Package: openshift4/ose-docker-builder-rhel9 (OpenShift Service Mesh 3) - Affected
Package: golang (Red Hat Enterprise Linux 10) - Affected
Package: golang (Red Hat Enterprise Linux 8) - Affecte
Debian
CVE-2026-27140: golang-1.15 - SWIG file names containing 'cgo' and well-crafted payloads could lead to code sm...
vendor_debian·2026·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140: golang-1.15 - SWIG file names containing 'cgo' and well-crafted payloads could lead to code sm...
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-all]
bugzilla·2026-04-09·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-all]
CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27140 gcc-epel: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [epel-all]
bugzilla·2026-04-09·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 gcc-epel: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [epel-all]
CVE-2026-27140 gcc-epel: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-43]
bugzilla·2026-04-09·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-43]
CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27140 cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names
bugzilla·2026-04-08·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names
CVE-2026-27140 cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Wiz
CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27140 :
Golang vulnerability analysis and mitigation
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.19
golang-1.24
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux Has Fix Added at: Apr 09, 2026
Windows Has Fix Added at: Apr 09, 2026
## Get a CVE
https://go.dev/cl/763768https://go.dev/issue/78335https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUhttps://pkg.go.dev/vuln/GO-2026-4871https://access.redhat.com/errata/RHSA-2026:10217https://access.redhat.com/errata/RHSA-2026:10219https://access.redhat.com/errata/RHSA-2026:10704https://access.redhat.com/errata/RHSA-2026:16021https://access.redhat.com/errata/RHSA-2026:16024https://access.redhat.com/errata/RHSA-2026:16494https://access.redhat.com/errata/RHSA-2026:16497https://access.redhat.com/errata/RHSA-2026:16498https://access.redhat.com/errata/RHSA-2026:16694https://access.redhat.com/errata/RHSA-2026:16697https://access.redhat.com/errata/RHSA-2026:16698https://access.redhat.com/errata/RHSA-2026:23246https://access.redhat.com/errata/RHSA-2026:25182https://access.redhat.com/security/cve/CVE-2026-27140https://bugzilla.redhat.com/show_bug.cgi?id=2456341https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27140.json
2026-04-08
Published