CVE-2026-32282Time-of-check Time-of-use (TOCTOU) Race Condition in Standard Library Internal Syscall Unix

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition18 documents7 sources
Severity
6.4MEDIUMNVD
EPSS
0.0%
top 99.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
GO Standard Library Internal Syscall UnixDebian Golang-1.15Debian Golang-1.19+3 more
Timeline
PublishedApr 8
Latest updateApr 9

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages6 packages

CVEListV5go_standard_library/internal_syscall_unix1.26.0-01.26.2+1
debiandebian/golang-1.15< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.19< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.24< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.25< golang-1.25 1.25.9-1 (sid)

🔴Vulnerability Details

3
OSV
CVE-2026-32282: On Linux, if the target of Root2026-04-08
GHSA
GHSA-xj38-jxc5-rppx: On Linux, if the target of Root2026-04-08
OSV
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix2026-04-07

📋Vendor Advisories

2
Red Hat
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root2026-04-08
Debian
CVE-2026-32282: golang-1.15 - On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod...2026

🕵️Threat Intelligence

10
Wiz
CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32281 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32288 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-32282 golang: Root.Chmod can follow symlinks out of the root [fedora-all]2026-04-09
Bugzilla
CVE-2026-32282 golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root2026-04-08
CVE-2026-32282 — MEDIUM severity | cvebase