Checksum Validation Flaw in Go Toolchain by Google
CVE-2026-42501

Currently unrated

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2026-42501?

A flaw in the Go toolchain's validation of module checksums can be exploited by untrusted module proxies, allowing them to bypass checksum database validation. This can lead to the execution of altered versions of the toolchain without proper validation. Despite the go command's effort to verify hashes against the checksum database, a malicious proxy may return an empty or unrelated checksum response, resulting in successful validation and potential execution of untrusted modules. Users are advised to validate their dependencies and update their Go toolchain to mitigate this risk.

Affected Version(s)

cmd/go 0 < 1.25.10

cmd/go 1.26.0-0 < 1.26.3

References

https://go.dev/cl/775321

https://go.dev/issue/79070

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Mundur (https://github.com/M0nd0R)

CVE-2026-42501 Data

JSON