Primary

Context

Go SWIG Trust Layer Bypass Vulnerability Leading to Code Execution

Vulnerability

Patched

A vulnerability exists in the Go programming language's SWIG interface handling, specifically within the 'cmd/go' command. This issue arises from a trust layer bypass that allows well-crafted SWIG source files to exploit a file-naming convention recognized by the cgo compiler. As a result, the vulnerability could lead to code smuggling and arbitrary code execution during the build process. This issue affects Go versions prior to 1.25.9 and between 1.26.0 and 1.26.2.

Impact

Exploitation of this vulnerability could result in unauthorized code execution during the build process, potentially allowing malicious actors to execute arbitrary code in the context of the user building the Go application.

Remediation

Users can upgrade to Go versions 1.26.2 or 1.25.9, both of which include the patch for this vulnerability.

Added: Apr 8, 2026, 2:29 AM

Updated: Apr 8, 2026, 2:29 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

7.5

exploitability

4.5

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

7.5

exploitability

4.5

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go SWIG Trust Layer Bypass Vulnerability Leading to Code Execution

Vulnerability

Impact

Remediation

Affected Products

golang

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating