Symlink Vulnerability in Go Programming Language Temporary Files
CVE-2026-39819

Currently unrated

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2026-39819?

A security flaw in the Go programming language allows the 'go bug' command to write to two files with fixed names in the system's temporary directory. An attacker with access to this directory could exploit this behavior by creating a symbolic link (symlink) to a target file. This would result in the 'go bug' command unintentionally overwriting the content of the linked file, potentially leading to data loss or further exploitation. This vulnerability emphasizes the need for secure handling of temporary files and symlinks in applications.

Affected Version(s)

cmd/go 0 < 1.25.10

cmd/go 1.26.0-0 < 1.26.3

References

https://go.dev/issue/78584

https://go.dev/cl/763882

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Harshit Gupta (Mr HAX)

CVE-2026-39819 Data

JSON