CVE-2026-39819: Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go

Q: What is the severity of CVE-2026-39819?

CVE-2026-39819 has a medium severity rating due to its potential to allow local attackers to execute arbitrary code.

Q: What causes CVE-2026-39819?

CVE-2026-39819 is caused by the "go bug" command following symlinks in predictable temporary filenames.

Q: How do I fix CVE-2026-39819?

To mitigate CVE-2026-39819, avoid using predictable filenames in the temporary directory or update to the latest patched version of Go.

Q: Who is affected by CVE-2026-39819?

Users of the Go cmd/go tool who have access to the temporary directory are affected by CVE-2026-39819.

Q: What type of attack is possible with CVE-2026-39819?

CVE-2026-39819 allows for symbolic link attacks, which can lead to unauthorized file access or code execution.

Published May 7, 2026

Updated

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

Affected Software

3 affected components

go Go cmd/go

Golang Go<1.25.10

Golang Go>=1.26.0<1.26.3

Remediation

Patch Available

https://go.dev/cl/763882

Event History

May 7, 2026

CVE Published

via MITRE·07:41 PM

Data Sourced

via MITRE·07:41 PM

DescriptionWeakness

Data Sourced

via NVD·08:16 PM

RemedyDescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-39819?

CVE-2026-39819 has a medium severity rating due to its potential to allow local attackers to execute arbitrary code.

What causes CVE-2026-39819?

CVE-2026-39819 is caused by the "go bug" command following symlinks in predictable temporary filenames.

How do I fix CVE-2026-39819?

To mitigate CVE-2026-39819, avoid using predictable filenames in the temporary directory or update to the latest patched version of Go.

Who is affected by CVE-2026-39819?

Users of the Go cmd/go tool who have access to the temporary directory are affected by CVE-2026-39819.

What type of attack is possible with CVE-2026-39819?

CVE-2026-39819 allows for symbolic link attacks, which can lead to unauthorized file access or code execution.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

CVE-2026-39819: Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go

Affected Software

Remediation

Patch Available

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2026-39819?

What causes CVE-2026-39819?

How do I fix CVE-2026-39819?

Who is affected by CVE-2026-39819?

What type of attack is possible with CVE-2026-39819?

Company

Resources

Contact