High7.8Red Hat & Ubuntu Linux Updated
Go os.Root: Symlink following vulnerability allows directory traversal
CVE-2026-39822 Published Jul 8, 2026Updated by vendor Jul 8, 2026
CVE-2026-39822
Affected products & platforms
Red Hat & Ubuntu LinuxUnclassified
Summary
Go os.Root: Symlink following vulnerability allows directory traversal. Red Hat rates this important (CVSS 7.8). Weakness: CWE-59. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Mitigation checklist
Recommended fix / mitigation
- There is no mitigation for this issue other than updating the Go toolchain to Go 1.25.12 or Go 1.26.5. Programs compiled with Go >= 1.24 that do not use the os.Root API are not affected by this vulnerability. The os.Root API was introduced in Go 1.24. Go versions prior to 1.24 are not affected. This issue is fixed in Go 1.25.12 and Go 1.26.5.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.