{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27139", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-03-06T21:28:14.451Z", "dateUpdated": "2026-03-09T14:53:58.363Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.451Z"}, "title": "FileInfo can escape from a Root in os", "descriptions": [{"lang": "en", "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."}], "affected": [{"vendor": "Go standard library", "product": "os", "collectionURL": "https://pkg.go.dev", "packageName": "os", "versions": [{"version": "0", "lessThan": "1.25.8", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "File.ReadDir"}, {"name": "File.Readdir"}, {"name": "ReadDir"}, {"name": "dirFS.ReadDir"}, {"name": "rootFS.ReadDir"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-363: Race Condition Enabling Link Following"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77827"}, {"url": "https://go.dev/cl/749480"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4602"}], "credits": [{"lang": "en", "value": "Miloslav Trma\u010d of Red Hat"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:53:55.467850Z", "id": "CVE-2026-27139", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:53:58.363Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T14:53:55.467850Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:53:42.735Z"}}], "cna": {"title": "FileInfo can escape from a Root in os", "credits": [{"lang": "en", "value": "Miloslav Trma\u010d of Red Hat"}], "affected": [{"vendor": "Go standard library", "product": "os", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.8", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "os", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "File.ReadDir"}, {"name": "File.Readdir"}, {"name": "ReadDir"}, {"name": "dirFS.ReadDir"}, {"name": "rootFS.ReadDir"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77827"}, {"url": "https://go.dev/cl/749480"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4602"}], "descriptions": [{"lang": "en", "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-363: Race Condition Enabling Link Following"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.451Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27139", "state": "PUBLISHED", "dateUpdated": "2026-03-09T14:53:58.363Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:14.451Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D293CC0-B163-4E62-B985-52FB6ECA64C5", "versionEndExcluding": "1.25.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "A40FE3CB-0D03-462B-8A19-4DF1920ABE82", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."}, {"lang": "es", "value": "En plataformas Unix, al listar el contenido de un directorio usando File.ReadDir o File.Readdir, el FileInfo devuelto podr\u00eda hacer referencia a un archivo fuera de la Ra\u00edz en la que se abri\u00f3 el Archivo. El impacto de este escape se limita a la lectura de metadatos proporcionados por lstat desde ubicaciones arbitrarias en el sistema de archivos sin permitir la lectura o escritura de archivos fuera de la ra\u00edz."}], "id": "CVE-2026-27139", "lastModified": "2026-04-21T14:32:36.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:01.070", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://go.dev/cl/749480"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/77827"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4602"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "os: FileInfo can escape from a Root in golang os module", "id": "2445335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445335"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27139", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-06T21:28:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27139\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27139\nhttps://go.dev/cl/749480\nhttps://go.dev/issue/77827\nhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\nhttps://pkg.go.dev/vuln/GO-2026-4602"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "os", "source": "cna", "vendor": "Go standard library"}, "product": "os", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-16T11:06:04.563106+00:00", "value": {"mitigation_remediation": ["Upgrade to a Go release that contains the fixed FileInfo root check.", "Restrict the use of File.ReadDir and File.ReadDir to directories that are verified to be within trusted paths, or add additional path validation before processing the returned FileInfo objects.", "Run any applications that process untrusted directories with the minimum necessary privileges, limiting their ability to access files outside the intended directory tree."], "summary": {"action": "Assess Impact", "impact": "Metadata Leaks via FileInfo Root Escape"}, "threat_synthesis": {"affected_systems": "Affected vendors include the Go standard library (product os). The flaw is present in Go releases that have not yet applied the related fix. No specific version list is provided, so all Go versions prior to the patch are considered vulnerable when running on Unix platforms.", "description_and_impact": "This vulnerability allows the FileInfo object returned by File.ReadDir or File.Readdir on Unix systems to reference a file outside of the directory\u2019s initial root. As a result, an application can obtain limited metadata about arbitrary files through the operating system\u2019s lstat system call, but cannot read or write those files. The weakness stems from insufficient path validation and is classified as CWE-22, a path traversal issue.", "risk_and_exploitability": "The CVSS score of 2.5 indicates a low severity issue, and an EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild. The flaw has not been listed in the CISA KEV catalog. Exploitation is possible only from within the same host and requires that an attacker can influence or observe a process performing directory reads. While no remote code execution or data exfiltration is gained, the ability to learn sensitive file metadata could aid in further attacks."}}}}, "created": "2026-03-09T10:06:17.198638+00:00", "updated": "2026-04-16T11:15:27.680000+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$os"]}