CVE-2026-27139

Name	CVE-2026-27139
Description	On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-1.15 (PTS)	bullseye	1.15.15-1~deb11u4	vulnerable
golang-1.19 (PTS)	bookworm	1.19.8-2	vulnerable
golang-1.24 (PTS)	trixie	1.24.4-1	vulnerable
	forky, sid	1.24.13-2	vulnerable
golang-1.25 (PTS)	forky, sid	1.25.8-1	fixed
golang-1.26 (PTS)	forky, sid	1.26.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
golang-1.15	source	(unstable)	(unfixed)
golang-1.19	source	(unstable)	(unfixed)
golang-1.24	source	(unstable)	(unfixed)
golang-1.25	source	(unstable)	1.25.8-1
golang-1.26	source	(unstable)	1.26.1-1

Notes

[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
https://github.com/golang/go/issues/77827
Fixed by: https://github.com/golang/go/commit/8cce3ab20c49a5c3c9fa8e97ad47335c3ccd2620 (go1.26.1)
Fixed by: https://github.com/golang/go/commit/4091800393d254befde3770fd16f51200ebd5a3d (go1.25.8)