Moderate severityNVD Advisory· Published Jun 22, 2022· Updated Aug 3, 2024
CVE-2022-29526
CVE-2022-29526
Description
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect privilege assignment in Go's Faccessat function could incorrectly report file accessibility with non-zero flags.
Vulnerability
CVE-2022-29526 describes an incorrect privilege assignment in Go's Faccessat function. When called with a non-zero flags parameter, the function may incorrectly report that a file is accessible, even when the calling process does not have the necessary permissions [2]. This issue affects Go versions before 1.17.10 and 1.18.x before 1.18.2.
Exploitation
The flaw can be triggered by passing a non-zero value for the flags argument to Faccessat. An attacker with the ability to invoke this system call could cause the function to return a false positive regarding file accessibility, potentially bypassing intended access controls.
Impact
Successful exploitation could allow an attacker to gain unauthorized access to files or escalate privileges, as the incorrect permission check may let them read or write files they should not be able to access [3].
Mitigation
The Go team has fixed this issue in Go 1.17.10 and Go 1.18.2. Users are advised to update to these releases or later to remediate the vulnerability.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/sysGo | < 0.0.0-20220412211240-33da011f77ad | 0.0.0-20220412211240-33da011f77ad |
Affected products
79- Go/Godescription
- osv-coords78 versionspkg:apk/chainguard/ctoppkg:apk/chainguard/dynamic-localpv-provisionerpkg:apk/chainguard/dynamic-localpv-provisioner-fipspkg:apk/chainguard/eks-distro-coredns-1.8pkg:apk/chainguard/grpcurlpkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/kindpkg:apk/chainguard/kubeflowpkg:apk/chainguard/kubeflow-access-managementpkg:apk/chainguard/kubeflow-access-management-compatpkg:apk/chainguard/kubeflow-access-management-fipspkg:apk/chainguard/kubeflow-access-management-fips-compatpkg:apk/chainguard/kubeflow-admission-webhookpkg:apk/chainguard/kubeflow-admission-webhook-compatpkg:apk/chainguard/kubeflow-admission-webhook-fipspkg:apk/chainguard/kubeflow-admission-webhook-fips-compatpkg:apk/chainguard/kubeflow-fipspkg:apk/chainguard/kubeflow-notebook-controllerpkg:apk/chainguard/kubeflow-notebook-controller-compatpkg:apk/chainguard/kubeflow-notebook-controller-fipspkg:apk/chainguard/kubeflow-notebook-controller-fips-compatpkg:apk/chainguard/kubeflow-profile-controllerpkg:apk/chainguard/kubeflow-profile-controller-compatpkg:apk/chainguard/kubeflow-profile-controller-fipspkg:apk/chainguard/kubeflow-profile-controller-fips-compatpkg:apk/chainguard/kubeflow-pvcviewer-controllerpkg:apk/chainguard/kubeflow-pvcviewer-controller-compatpkg:apk/chainguard/kubeflow-pvcviewer-controller-fipspkg:apk/chainguard/kubeflow-pvcviewer-controller-fips-compatpkg:apk/chainguard/kubeflow-tensorboard-controllerpkg:apk/chainguard/kubeflow-tensorboard-controller-compatpkg:apk/chainguard/kubeflow-tensorboard-controller-fipspkg:apk/chainguard/kubeflow-tensorboard-controller-fips-compatpkg:apk/chainguard/prometheus-postgres-exporter-0.10pkg:apk/chainguard/terraform-provider-sendgridpkg:apk/chainguard/terraform-provider-sendgrid-fipspkg:apk/wolfi/ctoppkg:apk/wolfi/dynamic-localpv-provisionerpkg:apk/wolfi/grpcurlpkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/kindpkg:apk/wolfi/kubeflowpkg:apk/wolfi/kubeflow-access-managementpkg:apk/wolfi/kubeflow-access-management-compatpkg:apk/wolfi/kubeflow-admission-webhookpkg:apk/wolfi/kubeflow-admission-webhook-compatpkg:apk/wolfi/kubeflow-notebook-controllerpkg:apk/wolfi/kubeflow-notebook-controller-compatpkg:apk/wolfi/kubeflow-profile-controllerpkg:apk/wolfi/kubeflow-profile-controller-compatpkg:apk/wolfi/kubeflow-pvcviewer-controllerpkg:apk/wolfi/kubeflow-pvcviewer-controller-compatpkg:apk/wolfi/kubeflow-tensorboard-controllerpkg:apk/wolfi/kubeflow-tensorboard-controller-compatpkg:apk/wolfi/terraform-provider-sendgridpkg:bitnami/golangpkg:golang/golang.org/x/syspkg:rpm/opensuse/go1.17&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/go1.17&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.18&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/go1.18&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.18-openssl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.18-openssl&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/go1.17&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/go1.17&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/go1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 0.7.7-r13+ 77 more
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 3.4.1-r3
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 1.8.7-r5
- (no CPE)range: < 1.8.7-r7
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.22.0-r1
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 3.4.1-r3
- (no CPE)range: < 1.8.7-r7
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.22.0-r1
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.17.10
- (no CPE)range: < 0.0.0-20220412211240-33da011f77ad
- (no CPE)range: < 1.17.10-150000.1.34.1
- (no CPE)range: < 1.17.10-150000.1.34.1
- (no CPE)range: < 1.18.2-150000.1.17.1
- (no CPE)range: < 1.18.2-150000.1.17.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.17.10-150000.1.34.1
- (no CPE)range: < 1.17.10-150000.1.34.1
- (no CPE)range: < 1.18.2-150000.1.17.1
- (no CPE)range: < 1.18.2-150000.1.17.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- github.com/advisories/GHSA-p782-xgp4-8hr8ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-29526ghsaADVISORY
- security.gentoo.org/glsa/202208-02ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/golang/go/issues/52313ghsax_refsource_MISCWEB
- go.dev/cl/399539ghsaWEB
- go.dev/cl/400074ghsaWEB
- go.dev/issue/52313ghsaWEB
- groups.google.com/g/golang-announceghsax_refsource_MISCWEB
- groups.google.com/g/golang-announce/c/Y5qrqw_lWdUghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5XghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJRghsaWEB
- pkg.go.dev/vuln/GO-2022-0493ghsaWEB
- security.netapp.com/advisory/ntap-20220729-0001ghsaWEB
- security.netapp.com/advisory/ntap-20220729-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.