Description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Published: 2026-03-06
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Metadata Leaks via FileInfo Root Escape
Action: Assess Impact
AI Analysis

Impact

This vulnerability allows the FileInfo object returned by File.ReadDir or File.Readdir on Unix systems to reference a file outside of the directory’s initial root. As a result, an application can obtain limited metadata about arbitrary files through the operating system’s lstat system call, but cannot read or write those files. The weakness stems from insufficient path validation and is classified as CWE-22, a path traversal issue.

Affected Systems

Affected vendors include the Go standard library (product os). The flaw is present in Go releases that have not yet applied the related fix. No specific version list is provided, so all Go versions prior to the patch are considered vulnerable when running on Unix platforms.

Risk and Exploitability

The CVSS score of 2.5 indicates a low severity issue, and an EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild. The flaw has not been listed in the CISA KEV catalog. Exploitation is possible only from within the same host and requires that an attacker can influence or observe a process performing directory reads. While no remote code execution or data exfiltration is gained, the ability to learn sensitive file metadata could aid in further attacks.

Generated by OpenCVE AI on April 16, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Go release that contains the fixed FileInfo root check.
  • Restrict the use of File.ReadDir and File.ReadDir to directories that are verified to be within trusted paths, or add additional path validation before processing the returned FileInfo objects.
  • Run any applications that process untrusted directories with the minimum necessary privileges, limiting their ability to access files outside the intended directory tree.

Generated by OpenCVE AI on April 16, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Tue, 10 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 09 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library os
Vendors & Products Go Standard Library
Go Standard Library os

Fri, 06 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Title FileInfo can escape from a Root in os
References

Subscriptions

Go Standard Library Os
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-09T14:53:58.363Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27139

cve-icon Vulnrichment

Updated: 2026-03-09T14:53:42.735Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:01.070

Modified: 2026-04-21T14:32:36.317

Link: CVE-2026-27139

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-06T21:28:14Z

Links: CVE-2026-27139 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses