A well-crafted SWIG source file could take advantage
of a file-naming convention used inside the trust
boundary of the cgo compiler. Doing so could result
in arbitrary code execution during build time.
SWIG files are disallowed from using this convention.
Thank you to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2026-27140 and Go issue https://go.dev/issue/78335.
This is a PRIVATE issue for CVE-2026-27140, tracked in http://b/479232126 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3520.
/cc @golang/security and @golang/release
A well-crafted SWIG source file could take advantage
of a file-naming convention used inside the trust
boundary of the cgo compiler. Doing so could result
in arbitrary code execution during build time.
SWIG files are disallowed from using this convention.
Thank you to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2026-27140 and Go issue https://go.dev/issue/78335.
This is a PRIVATE issue for CVE-2026-27140, tracked in http://b/479232126 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3520.
/cc @golang/security and @golang/release