Go Command 'go bug' Temporary File Overwrite Vulnerability

A vulnerability exists in the Go command 'go bug' prior to version 1.25.10 and in the 1.26.0-0 version range prior to 1.26.3. The issue arises because 'go bug' writes to two files with predictable names in the system temporary directory. An attacker with access to this directory can create a symlink targeting one of these files, leading 'go bug' to overwrite the symlink's target. This vulnerability was reported by Harshit Gupta (Mr HAX) and is tracked as CVE-2026-39819.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, where 'go bug' unintentionally replaces the contents of a file specified by the symlink.

Reproduction

To reproduce this vulnerability, create a symlink in the system temporary directory that points to a target file. Then, execute the 'go bug' command. The command will overwrite the target of the symlink with data from the predictable temporary file, effectively allowing for controlled file modification.

Remediation

The 'go bug' command has been updated to use 'os.MkdirTemp' for creating temporary directories, which mitigates the symlink attack by ensuring that the filenames are not predictable. Users should upgrade to Go versions 1.26.3 or 1.25.10.