CVE-2026-32282
published 2026-04-08CVE-2026-32282: On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even…
PriorityP431medium6.4CVSS 3.1
AVLACHPRHUINSUCHIHAH
EPSS
0.29%
20.9th percentile
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.19 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.24 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.25 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.26 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| go_standard_library | internal_syscall_unix | < 1.25.9 | 1.25.9 |
| go_standard_library | internal_syscall_unix | >= 1.26.0-0 < 1.26.2 | 1.26.2 |
| golang | go | < 1.25.9 | 1.25.9 |
| golang | go | >= 1.26.0 < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
vendor_redhat·2026-04-08·CVSS 6.4
CVE-2026-32282 [MEDIUM] CWE-367 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
Statement: To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before ac
Debian
CVE-2026-32282: golang-1.15 - On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod...
vendor_debian·2026·CVSS 6.4
CVE-2026-32282 [MEDIUM] CVE-2026-32282: golang-1.15 - On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod...
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Scope: local
bullseye: open
VulDB
syscall-unix up to 1.25.8/1.26.1 on Go Root.Chmod AT_SYMLINK_NOFOLLOW symlink (Nessus ID 305649 / WID-SEC-2026-1006)
vuldb·2026-05-04·CVSS 6.4
CVE-2026-32282 [MEDIUM] syscall-unix up to 1.25.8/1.26.1 on Go Root.Chmod AT_SYMLINK_NOFOLLOW symlink (Nessus ID 305649 / WID-SEC-2026-1006)
A vulnerability categorized as critical has been discovered in syscall-unix up to 1.25.8/1.26.1 on Go. Affected by this issue is the function Root.Chmod. Executing a manipulation of the argument AT_SYMLINK_NOFOLLOW can lead to symlink following.
This vulnerability is tracked as CVE-2026-32282. The attack is restricted to local execution. No exploit exists.
It is advisable to upgrade the affected component.
OSV
CVE-2026-32282: On Linux, if the target of Root
osv·2026-04-08·CVSS 6.4
CVE-2026-32282 [MEDIUM] CVE-2026-32282: On Linux, if the target of Root
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
GHSA
GHSA-xj38-jxc5-rppx: On Linux, if the target of Root
ghsa_unreviewed·2026-04-08
CVE-2026-32282 GHSA-xj38-jxc5-rppx: On Linux, if the target of Root
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
OSV
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
osv·2026-04-07
CVE-2026-32282 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27144 :
Golang vulnerability analysis and mitigation
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-race
go-toolset
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 202
Wiz
CVE-2026-32281 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32281 [MEDIUM] CVE-2026-32281 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32281 :
Grafana vulnerability analysis and mitigation
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
go-toolset:rhel8::golang-tests
grafana-mssql
Sources
NVD
Debian
Wiz
CVE-2026-32288 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32288 [MEDIUM] CVE-2026-32288 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32288 :
Grafana vulnerability analysis and mitigation
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-postgres
golang-1.26
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Apr 09, 2026
Wiz
CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-32283 [MEDIUM] CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32283 :
Golang vulnerability analysis and mitigation
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux
Wiz
CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27140 :
Golang vulnerability analysis and mitigation
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.19
golang-1.24
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux Has Fix Added at: Apr 09, 2026
Windows Has Fix Added at: Apr 09, 2026
## Get a CVE
Wiz
CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32280 :
Golang vulnerability analysis and mitigation
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 Severity HIGH No Fix Added at: Apr 09, 2026
Wiz
CVE-2026-33810 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-33810 [MEDIUM] CVE-2026-33810 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33810 :
Golang vulnerability analysis and mitigation
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:golang:go
golang-1.26
Sources
NVD
Debian 14 Has Fix Adde
Wiz
CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27143 :
Golang vulnerability analysis and mitigation
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.24
golang-1.25
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Red Hat 8, 9, 10 Severity MED
Wiz
CVE-2026-32289 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32289 [MEDIUM] CVE-2026-32289 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32289 :
Grafana vulnerability analysis and mitigation
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
CVE-2026-32282 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32282 [MEDIUM] CVE-2026-32282 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32282 :
Grafana vulnerability analysis and mitigation
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Bugzilla
CVE-2026-32282 golang: Root.Chmod can follow symlinks out of the root [fedora-all]
bugzilla·2026-04-09·CVSS 6.4
CVE-2026-32282 [MEDIUM] CVE-2026-32282 golang: Root.Chmod can follow symlinks out of the root [fedora-all]
CVE-2026-32282 golang: Root.Chmod can follow symlinks out of the root [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
bugzilla·2026-04-08·CVSS 6.4
CVE-2026-32282 [MEDIUM] CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
2026-04-08
Published