pkg:Go/toolchain

All known vulnerabilities

• CRITICAL9.8CVE-2026-27143Missing bound checks can lead to memory corruption in safe Go in cmd/compile
  from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
• CRITICAL9.8CVE-2023-24531Output of "go env" does not sanitize values in cmd/go
  from 0, < 1.21.0-0
• CRITICAL9.8CVE-2023-39320Arbitrary code execution via go.mod toolchain directive in cmd/go
  >= 1.21.0-0, < 1.21.1
• CRITICAL9.8CVE-2023-29402Code injection via go command with cgo in cmd/go
  from 0, < 1.19.10, >= 1.20.0-0, < 1.20.5
• CRITICAL9.8CVE-2023-29405Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
  from 0, < 1.19.10, >= 1.20.0-0, < 1.20.5
• CRITICAL9.8CVE-2023-29404Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
  from 0, < 1.19.10, >= 1.20.0-0, < 1.20.5
• CRITICAL9.8CVE-2021-38297Buffer overflow in WASM modules in misc/wasm and cmd/link
  from 0, < 1.16.9, >= 1.17.0-0, < 1.17.2
• HIGH8.8CVE-2026-27140Code execution vulnerability in SWIG code generation in cmd/go
  from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
• HIGH8.8CVE-2024-45340GOAUTH credential leak in cmd/go
  >= 1.24.0-0, < 1.24.0-rc.2
• HIGH8.6CVE-2025-61732Potential code smuggling via doc comments in cmd/cgo
  from 0, < 1.24.13, >= 1.25.0-0, < 1.25.7
• HIGH8.6CVE-2025-4674Unexpected command execution in untrusted VCS repositories in cmd/go
  from 0, < 1.23.11, >= 1.24.0-0, < 1.24.5
• HIGH8.1CVE-2023-39323Arbitrary code execution during build via line directives in cmd/go
  from 0, < 1.20.9, >= 1.21.0-0, < 1.21.2
• HIGH7.8CVE-2025-61731Arbitrary file write using cgo pkg-config directive in cmd/go
  from 0, < 1.24.12, >= 1.25.0, < 1.25.6
• HIGH7.5CVE-2026-42501Malicious module proxy can bypass checksum database in cmd/go
  from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
• HIGH7.5CVE-2025-22867Arbitrary code execution during build on darwin in cmd/go
  >= 1.24.0-rc.2, < 1.24.0-rc.3
• HIGH7.5CVE-2023-45285Command 'go get' may unexpectedly fallback to insecure git in cmd/go
  from 0, < 1.20.12, >= 1.21.0-0, < 1.21.5
• HIGH7.5CVE-2022-23773Incorrect access control in the go command in cmd/go/internal/modfetch
  from 0, < 1.16.14, >= 1.17.0-0, < 1.17.7
• HIGH7.5CVE-2020-28367Arbitrary code execution via the go command with cgo in cmd/go
  from 0, < 1.14.12, >= 1.15.0-0, < 1.15.5
• HIGH7.5CVE-2020-28366Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo
  from 0, < 1.14.12, >= 1.15.0-0, < 1.15.5
• HIGH7.5CVE-2021-3115Arbitrary code injection via the go command with cgo on Windows in cmd/go
  from 0, < 1.14.14, >= 1.15.0-0, < 1.15.7
• HIGH7.1CVE-2026-27144Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
  from 0, < 1.25.9, >= 1.26.0-0, < 1.26.2
• HIGH7.0CVE-2025-68119Unexpected code execution when invoking toolchain in cmd/go
  >= 1.25.0, < 1.25.6
• MEDIUM6.4CVE-2024-24787Arbitrary code execution during build on Darwin in cmd/go
  from 0, < 1.21.10, >= 1.22.0-0, < 1.22.3
• MEDIUM5.9CVE-2026-39817Invoking "go tool pack" does not sanitize output paths in cmd/go
  from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
• MEDIUM5.3CVE-2026-39819Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go
  from 0, < 1.25.10, >= 1.26.0-0, < 1.26.3
• —CVE-2018-7187golang-1.7 - security update
  from 0, < 1.9.5, >= 1.10.0-0, < 1.10.1
• —CVE-2018-6574golang-1.8 - security update
  from 0, < 1.8.7, >= 1.9.0-0, < 1.9.4
• —CVE-2017-15041golang-1.7 - security update
  from 0, < 1.8.4, >= 1.9.0-0, < 1.9.1
• —CVE-2018-16873Remote command execution via "go get" with "-u" flag in cmd/go
  from 0, < 1.10.6, >= 1.11.0-0, < 1.11.3
• —CVE-2018-16874Directory traversal via "go get" command in cmd/go
  from 0, < 1.10.6, >= 1.11.0-0, < 1.11.3