Primary

Context

Go Cgo Code Smuggling Vulnerability

Vulnerability

Patched

A vulnerability exists in the Go programming language's Cgo tool, specifically in versions of Go prior to 1.24.13 and between 1.25.0 and 1.25.6. This vulnerability arises from a difference in how Go and C/C++ comment syntax is interpreted, which can be exploited to inject C code into the Cgo binary. The smuggled code is typically ignored by the Go compiler but can still be executed under certain conditions.

Impact

Exploitation of this vulnerability allows for the injection of C code into the Cgo binary, which could be executed, potentially leading to arbitrary code execution.

Remediation

Users can upgrade to Go versions 1.25.7 or 1.24.13, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: Feb 5, 2026, 4:19 AM

Updated: Feb 5, 2026, 4:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

3.7

remediation

7.7

relevance

2.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

3.7

remediation

7.7

relevance

2.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Cgo Code Smuggling Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang cmd/cgo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating