Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via root escape
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a time‑after‑check to time‑of‑use race in Go’s Root.Chmod function on Linux. An attacker with write access to the target path can replace the file with a symlink while chmod is in progress. The underlying fchmodat syscall ignores the AT_SYMLINK_NOFOLLOW flag, causing permission changes on the linked target even if it lies outside the expected root. Root.Chmod performs a preliminary check of the target’s symlink status and returns an error if the symlink points beyond the root, mitigating the impact, but the race still exists. The main consequence is that an attacker could alter permissions of arbitrary files, potentially aiding privilege escalation. This flaw is classified as CWE‑367 and CWE‑59.

Affected Systems

The issue affects the Go programming language’s standard library, specifically the internal/syscall/unix package, on Linux. All Go installations that use Root.Chmod are vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate risk, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need local write access to the target path and the ability to orchestrate a TOCTOU race; thus it is best mitigated by applying the vendor patch or restricting write permissions.

Generated by OpenCVE AI on April 17, 2026 at 09:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Go runtime to the latest release that contains the Root.Chmod fix.
  • If an upgrade is not possible, restrict write permissions on directories that can be targeted by Root.Chmod or avoid using Root.Chmod on paths exposed to untrusted input.
  • Monitor for unexpected permission changes on files outside the intended scope to detect potential exploitation.

Generated by OpenCVE AI on April 17, 2026 at 09:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-59
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
CWE-682

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library internal/syscall/unix
Vendors & Products Go Standard Library
Go Standard Library internal/syscall/unix

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Title TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
References

Subscriptions

Go Standard Library Internal/syscall/unix
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-13T18:20:56.456Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32282

cve-icon Vulnrichment

Updated: 2026-04-13T17:47:38.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T02:16:03.467

Modified: 2026-04-16T19:15:39.400

Link: CVE-2026-32282

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T01:06:55Z

Links: CVE-2026-32282 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses