File Handling Vulnerability in Go Programming Language by Google
CVE-2026-39817

Currently unrated

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2026-39817?

The 'pack' subcommand in the Go programming language allows users to extract archive files, but it lacks proper sanitization of output filenames. This can lead to the extraction of files to unintended locations on the filesystem when handling maliciously crafted archives. Such behavior poses a significant risk, as attackers can manipulate the environment to overwrite sensitive files or execute unauthorized actions. Developers are advised to review their usage of the 'pack' command and implement proper validation measures to mitigate potential exploitation risks.

Affected Version(s)

cmd/go 0 < 1.25.10

cmd/go 1.26.0-0 < 1.26.3

References

https://go.dev/issue/78778

https://go.dev/cl/767520

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Harshit Gupta (Mr HAX)

CVE-2026-39817 Data

JSON