Code Smuggling Vulnerability in Go and C/C++ Parsing Affecting Go Applications
CVE-2025-61732

8.6HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/cgo
Vendor: CVE Published:; 5 February 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2025-61732?

A parsing inconsistency between the Go and C/C++ comment syntaxes has introduced a vulnerability that allows malicious code to be smuggled into the cgo binaries generated by Go applications. This issue arises when comments are processed differently in these languages, potentially leading to unintended execution of harmful code. Developers using Go in conjunction with C/C++ must be aware of this security flaw and implement appropriate measures to safeguard their applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cmd/cgo 0 < 1.24.13

cmd/cgo 1.25.0-0 < 1.25.7

References

https://go.dev/cl/734220

https://go.dev/issue/76697

https://groups.google.com/g/golang-announce/c/K09ubi9FQFk

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 5, 2026
Vulnerability Reserved
Sep 30, 2025

Credit

RyotaK (https://ryotak.net) of GMO Flatt Security Inc.

JSON

Go Toolchain

What is CVE-2025-61732?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.