CVE-2026-27139

LOW 2.5

FileInfo can escape from a Root in os

CVSS Score

2.5

EPSS Score

0.0%

EPSS Percentile

0th

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Vendor	go standard library
Product	os
Published	Mar 6, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for go standard library os

Be the first to know when new low vulnerabilities affecting go standard library os are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Go standard library / os

0 < 1.25.8 1.26.0-0 < 1.26.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

groups.google.com: https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk go.dev: https://go.dev/issue/77827 go.dev: https://go.dev/cl/749480 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4602

Credits

Miloslav Trmač of Red Hat