๐Ÿ” CVE Alert

CVE-2026-39822

HIGH 7.8

Root escape via symlink plus trailing slash in os

CVSS Score
7.8
EPSS Score
0.0%
EPSS Percentile
0th

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

Vendor go standard library
Product os
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for go standard library os

Be the first to know when new high vulnerabilities affecting go standard library os are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Go standard library / os
0 < 1.25.12 1.26.0-0 < 1.26.5 1.27.0-0 < 1.27.0-rc.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
go.dev: https://go.dev/issue/79005 groups.google.com: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc go.dev: https://go.dev/cl/797880 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4970

Credits

Mundur (https://github.com/M0nd0R)