Code Execution Vulnerability in SWIG File Handling for Go Programming
CVE-2026-27140

Currently unrated

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2026-27140?

A vulnerability exists within the Go programming language due to improper handling of SWIG files containing 'cgo'. Attackers can exploit this flaw by crafting specifically designed payloads that may lead to code smuggling and arbitrary code execution during the software build process. This issue reflects a significant trust layer bypass, allowing harmful code to be introduced without proper verification. Developers using the affected Go versions are advised to implement mitigations promptly.

Affected Version(s)

cmd/go 0 < 1.25.9

cmd/go 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763768

https://go.dev/issue/78335

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Feb 17, 2026

Credit

Juho Forsén of Mattermost

CVE-2026-27140 Data

JSON