Symlink Vulnerability in Linux Affecting Various Applications
CVE-2026-32282

6.4MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Internal/syscall/unix
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32282?

A vulnerability exists in the Root.Chmod operation on Linux systems, allowing for potential symlink traversal issues. If the target of a chmod operation is replaced with a symlink during the execution, the chmod can inadvertently operate on the symlink's target. This is due to the fchmodat system call bypassing the AT_SYMLINK_NOFOLLOW flag, which is intended to prevent unauthorized access to files outside the intended root directory. Although Root.Chmod verifies its target before execution and usually raises an error for unsafe symlinks, this race condition might allow unauthorized file modifications between the verification and operation stages.

Affected Version(s)

internal/syscall/unix linux 0 < 1.25.9

internal/syscall/unix linux 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763761

https://go.dev/issue/78293

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Uuganbayar Lkhamsuren (https://github.com/uug4na)

CVE-2026-32282 Data

JSON