CVE-2026-42503

NameCVE-2026-42503
Descriptiongopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138256

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gopls (PTS)trixie2:0.16.1+ds-1vulnerable
forky, sid2:0.21.1+ds-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
goplssource(unstable)(unfixed)1138256

Notes

[trixie] - gopls <no-dsa> (Minor issue)
https://github.com/golang/go/issues/79211
https://go-review.googlesource.com/c/tools/+/774381/
Fixed by: https://github.com/golang/tools/commit/90abdab4cf0af205d3d2212c73526b58c97d0bf6 (gopls/v0.22.0-pre.2)
check impact on golang-golang-x-tools
Search for package or bug name: Reporting problems