CVE-2026-39817 | THREATINT

Description

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

PUBLISHED Reserved 2026-04-07 | Published 2026-05-07 | Updated 2026-05-08 | Assigner Go

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

Any version before 1.25.10

affected

1.26.0-0 (semver) before 1.26.3

affected

Credits

Harshit Gupta (Mr HAX)

References

go.dev/issue/78778

go.dev/cl/767520

groups.google.com/g/golang-announce/c/qcCIEXso47M

pkg.go.dev/vuln/GO-2026-4979

cve.org (CVE-2026-39817)

nvd.nist.gov (CVE-2026-39817)

Download JSON

help @ threatint.eu