CVE-2026-27140 — Improper Restriction of Names for Files and Other Resources in Toolchain CMD GO
Severity
8.8HIGHNVD
EPSS
0.0%
top 94.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 8
Latest updateApr 9
Description
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages1 packages
🔴Vulnerability Details
4OSV▶
CVE-2026-27140: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer↗2026-04-08
GHSA▶
GHSA-5w89-2c2x-6x66: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer↗2026-04-08
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
4Bugzilla▶
CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-all]↗2026-04-09
Bugzilla▶
CVE-2026-27140 gcc-epel: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [epel-all]↗2026-04-09
Bugzilla▶
CVE-2026-27140 golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names [fedora-43]↗2026-04-09
Bugzilla▶
CVE-2026-27140 cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names↗2026-04-08