Description
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Published: 2026-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution during Go build
Action: Immediate Update
AI Analysis

Impact

SWIG file names that contain the substring 'cgo' and specially crafted payloads can be processed by the Go toolchain during SWIG code generation. This bypasses expected trust checks and allows the embedded code to be compiled and executed as part of the build. As a result, an attacker who can influence the contents or names of SWIG files can inject malicious code that runs with the privileges of the build process, compromising confidentiality, integrity, or availability of the built binaries. The weakness is a code‑smuggling scenario, related to CWE‑641 and CWE‑863.

Affected Systems

The vulnerability applies to the Go toolchain component cmd/go used by developers and build systems. No specific version information is supplied, so all releases of the Go toolchain that include the vulnerable SWIG handling path are potentially affected. This includes any environment where Go is used to compile projects that incorporate SWIG modules.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity attack that is likely exploitable locally during a build. The EPSS score of less than 1% suggests that a large number of real-world exploits are not publicly available, and the vulnerability is not listed in CISA's KEV catalog. Nevertheless, an attacker who gains the ability to supply or modify SWIG files can execute arbitrary code at build time, so the risk is significant if the build environment is compromised or if untrusted code is compiled.

Generated by OpenCVE AI on April 17, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Go toolchain to the latest stable release that contains the SWIG code generation fix.
  • If an immediate upgrade is not possible, avoid using SWIG files whose names contain the substring "cgo" or rename them to a neutral name before compilation.
  • Restrict who can provide source to the build process and run builds in a hardened, isolated environment with the least privilege necessary.

Generated by OpenCVE AI on April 17, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-863
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-641
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Gotoolchain
Gotoolchain cmd/go
Vendors & Products Gotoolchain
Gotoolchain cmd/go

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Title Code execution vulnerability in SWIG code generation in cmd/go
References

Subscriptions

Golang Go
Gotoolchain Cmd/go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-13T13:22:34.117Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27140

cve-icon Vulnrichment

Updated: 2026-04-13T13:22:00.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T02:16:02.887

Modified: 2026-04-16T19:26:59.613

Link: CVE-2026-27140

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-08T01:06:57Z

Links: CVE-2026-27140 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses