Description
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The go bug command in the Go toolchain constructs two temporary files with predictable names in the system temporary directory, such as /tmp. If an attacker can write to this directory, they can create a symbolic link pointing to an arbitrary target and then run go bug. The command will follow the symlink and overwrite the file it references. This local file overwrite is consistent with CWE-59.

Affected Systems

This vulnerability exists in the Go toolchain, specifically the cmd/go command "go bug". No specific Go version numbers are provided in the advisory, so all current releases that have not been patched are potentially affected. The issue can arise on any platform where the system temporary directory (e.g., /tmp on Unix-like systems) is writable by the user executing go bug. A local attacker with write access to that directory can exploit the flaw.

Risk and Exploitability

The flaw is local; it requires write access to the system temporary directory, a permission that many users are granted. The CVSS score of 5.3 indicates moderate severity, while the EPSS score of < 1 % indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to influence the temporary directory used by go bug; the likely attack vector is a local user with write access to that directory.

Generated by OpenCVE AI on May 13, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit write permissions on the system temporary directory to trusted users only, preventing unprivileged users from creating symlinks or files there.
  • Regularly review and clean the temporary directory for unexpected symbolic links or files that could be used to overwrite sensitive data.
  • Upgrade the Go toolchain to a version that has fixed the temporary-file symlink handling in go bug once an official patch becomes available.

Generated by OpenCVE AI on May 13, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-118
CWE-22

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-59
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Gotoolchain
Gotoolchain cmd/go
Vendors & Products Gotoolchain
Gotoolchain cmd/go

Sat, 09 May 2026 01:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-118
CWE-22

Sat, 09 May 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
Title Invoking "go bug" follows symlinks in predictable temporary filenames in cmd/go
References

Subscriptions

Golang Go
Gotoolchain Cmd/go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-08T21:29:53.674Z

Reserved: 2026-04-07T18:13:03.526Z

Link: CVE-2026-39819

cve-icon Vulnrichment

Updated: 2026-05-08T16:57:14.663Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T20:16:43.083

Modified: 2026-05-13T15:05:41.943

Link: CVE-2026-39819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:00:04Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')