CVE-2026-27139

LOW2.5EPSS 0.01%

FileInfo can escape from a Root in os

發布日:2026/3/6修改日:2026/5/15

描述

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

受影響套件(7)

Bitnami/golangfrom 0, < 1.25.8, >= 1.26.0-0, < 1.26.1
Debian/golang-1.15from 0
Debian/golang-1.19from 0
Debian/golang-1.24from 0
Debian/golang-1.25from 0, < 1.25.8-1
Debian/golang-1.26from 0, < 1.26.1-1
Go/stdlibfrom 0, < 1.25.8, >= 1.26.0-0, < 1.26.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW2.5	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27139
PATCHhttps://go.dev/cl/749480
REPORThttps://go.dev/issue/77827
WEBhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27139
WEBhttps://pkg.go.dev/vuln/GO-2026-4602