Checksum Validation Flaw in Go Toolchain by Google
CVE-2026-42501

7.5HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2026-42501?

A flaw in the Go toolchain's validation of module checksums can be exploited by untrusted module proxies, allowing them to bypass checksum database validation. This can lead to the execution of altered versions of the toolchain without proper validation. Despite the go command's effort to verify hashes against the checksum database, a malicious proxy may return an empty or unrelated checksum response, resulting in successful validation and potential execution of untrusted modules. Users are advised to validate their dependencies and update their Go toolchain to mitigate this risk.

Affected Version(s)

cmd/go 0 < 1.25.10

cmd/go 1.26.0-0 < 1.26.3

References

https://go.dev/cl/775321

https://go.dev/issue/79070

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Mundur (https://github.com/M0nd0R)

CVE-2026-42501 Data

JSON