VIR Vulnerability Intelligence Relay

Package impact

golang Go / toolchain

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-27143 high 8.0 1mo ago Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading … redhatdebiansusegolang+1
CVE-2026-27144 high 8.0 1mo ago The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves… redhatdebiansusegolang+1
CVE-2026-27140 high 8.0 1mo ago SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. redhatdebiansusegolang+1
CVE-2025-61731 high 8.0 2mo ago Important: golang security update rockylinuxredhatdebiansuse+3
CVE-2025-61732 high 8.0 3mo ago Important: golang security update rockylinuxredhatdebiansuse+3
CVE-2025-4674 high 8.0 9mo ago Important: golang security update redhatrockylinuxdebiansuse+3
CVE-2018-6574 high 8.0 4y ago Remote command execution via "go get" command with cgo in cmd/go archgolang
CVE-2018-16873 high 8.0 4y ago Remote command execution via "go get" with "-u" flag in cmd/go archsusegolang
CVE-2018-16874 high 8.0 4y ago Directory traversal via "go get" command in cmd/go archsusegolang
CVE-2020-28367 high 8.0 4y ago Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. archsusedebiangolang
CVE-2020-28366 high 8.0 4y ago Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. archsusedebiangolang
CVE-2026-42501 high 7.5 7.5 21d ago A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module pr… debiansusegolang
CVE-2026-39817 medium 5.9 5.9 21d ago The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su… debiansusegolanggcp
CVE-2023-45285 medium 5.5 2y ago Moderate: golang security update redhatsusedebiangolang
CVE-2022-23773 medium 5.5 4y ago Moderate: go-toolset:rhel8 security and bug fix update suserockylinuxdebiangolang
CVE-2021-38297 medium 5.5 4y ago Moderate: go-toolset:rhel8 security and bug fix update archsuserockylinuxdebian+1
CVE-2021-3115 medium 5.5 5y ago Moderate: go-toolset:rhel8 security, bug fix, and enhancement update archsusedebianrockylinux+1
CVE-2026-39819 medium 5.3 5.3 21d ago The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one… debiansusegolanggcp