VYPR
← All advisories
Low severity2.5NVD Advisory· Published Mar 6, 2026· Updated Apr 21, 2026

CVE-2026-27139

CVE-2026-27139

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

On Unix, Go's File.ReadDir/Readdir can return FileInfo for files outside the opened Root due to a TOCTOU race, leaking metadata.

Vulnerability

Overview

CVE-2026-27139 is a time-of-check/time-of-use (TOCTOU) race condition in Go's os package on Unix platforms. When listing directory contents using File.ReadDir or File.Readdir, the returned FileInfo is populated via lstat. An attacker who can replace the directory with a symlink between the directory read and the lstat call can cause the FileInfo to reference a file outside the Root in which the file was opened [2].

Exploitation

Prerequisites

Exploitation requires the attacker to have write access to the directory being listed, allowing them to atomically replace it with a symlink pointing to an arbitrary path. The race window is small but exploitable. No authentication is needed beyond the ability to modify the filesystem within the root [2].

Impact

The impact is limited to reading metadata (file existence, size, permissions, etc.) from arbitrary locations on the filesystem via lstat. The attacker cannot read or write file contents outside the root. This could be used to probe for the presence or absence of files or glean metadata like file sizes [2][3].

Mitigation

The vulnerability is fixed in Go 1.25.8 and Go 1.26.1. Users should update to these versions. No workaround is available other than avoiding the use of File.ReadDir/File.Readdir on directories that could be manipulated by untrusted users [2][3].

References
  1. os: FileInfo can escape from a Root
  2. GO-2026-4602 - Go Packages

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Golang/Go2 versions
    cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*range: <1.25.8
    • cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.