CVE-2026-39819

Published: May 13, 2026Last modified: May 16, 2026

Description

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

Severity score breakdown

ParameterValue
Base score5.3
Attack VectorLOCAL
Attack complexityHIGH
Privileges requiredLOW
User interactionNONE
ScopeUNCHANGED
ConfidentialityLOW
Integrity impactHIGH
Availability impactNONE
VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSgoFixed (1.25.10-r0)
25 LTSgoFixed (1.25.10-r0)
StreamgoFixed (1.26.3-r0)
Hardened Containers23 LTSgoFixed (1.25.10-r0)
25 LTSgoFixed (1.25.10-r0)
StreamgoFixed (1.26.3-r0)

References

ON THIS PAGE