Code Execution Vulnerability in SWIG File Handling for Go Programming
CVE-2026-27140

8.8HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2026-27140?

A vulnerability exists within the Go programming language due to improper handling of SWIG files containing 'cgo'. Attackers can exploit this flaw by crafting specifically designed payloads that may lead to code smuggling and arbitrary code execution during the software build process. This issue reflects a significant trust layer bypass, allowing harmful code to be introduced without proper verification. Developers using the affected Go versions are advised to implement mitigations promptly.

Affected Version(s)

cmd/go 0 < 1.25.9

cmd/go 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763768

https://go.dev/issue/78335

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Feb 17, 2026

Credit

Juho Forsén of Mattermost

CVE-2026-27140 Data

JSON