CVE-2026-27139

LOW2.5EPSS 0.01%

FileInfo can escape from a Root in os

Published: 3/6/2026Modified: 5/15/2026

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Affected packages (7)

Bitnami/golangfrom 0, < 1.25.8, >= 1.26.0-0, < 1.26.1
Debian/golang-1.15from 0
Debian/golang-1.19from 0
Debian/golang-1.24from 0
Debian/golang-1.25from 0, < 1.25.8-1
Debian/golang-1.26from 0, < 1.26.1-1
Go/stdlibfrom 0, < 1.25.8, >= 1.26.0-0, < 1.26.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.5	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27139
PATCHhttps://go.dev/cl/749480
REPORThttps://go.dev/issue/77827
WEBhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27139
WEBhttps://pkg.go.dev/vuln/GO-2026-4602