CVE-2026-27139

Published: Mar 6, 2026

Modified: Mar 9, 2026

PUBLISHED

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Vendor	Product	Versions
Go standard library	os	affected `0 - < 1.25.8` affected `1.26.0-0 - < 1.26.1`

References

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

https://go.dev/issue/77827

https://go.dev/cl/749480

https://pkg.go.dev/vuln/GO-2026-4602

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-27139

Description

Affected Products

References