CVE-2026-27139 Overview
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir, the returned FileInfo could reference a file outside of the Root in which the File was opened. This vulnerability affects the Go standard library's os.Root implementation, allowing directory escape through file metadata access.
Critical Impact
Attackers with local access can read file metadata (via lstat) from arbitrary filesystem locations outside the intended root directory, potentially exposing sensitive file information such as ownership, permissions, and modification times.
Affected Products
- Go standard library os package on Unix platforms
- Applications using os.Root with File.ReadDir or File.Readdir methods
- Go applications implementing sandboxed file system operations
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-27139 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-27139
Vulnerability Analysis
This vulnerability exists in Go's os.Root implementation on Unix systems. The os.Root type is designed to provide a restricted view of the filesystem, limiting file operations to a specific directory tree. However, when using the File.ReadDir or File.Readdir methods to enumerate directory contents, the returned FileInfo structures can reference files that exist outside the intended root boundary.
The flaw manifests during directory listing operations where the FileInfo metadata retrieval does not properly validate that the target file remains within the root constraints. This allows an attacker to craft scenarios where metadata from files outside the root directory can be accessed through the lstat system call.
While the impact is limited to metadata exposure (file attributes like ownership, permissions, size, and timestamps) rather than actual file content access, this information disclosure can aid attackers in reconnaissance activities or in identifying high-value targets for further exploitation attempts.
Root Cause
The vulnerability stems from improper path validation in the os.Root implementation when resolving file references returned by directory enumeration operations. The FileInfo objects returned by ReadDir and Readdir do not maintain proper root containment validation, allowing references to files via symbolic links or other mechanisms that point outside the designated root boundary.
Attack Vector
An attacker requires local access to the system and the ability to influence the directory structure or contents within an application's root directory. The attack scenario involves:
- Placing symbolic links or specially crafted directory entries within a root-constrained directory
- Triggering a File.ReadDir or File.Readdir call by the target application
- The returned FileInfo references follow the symbolic link outside the root
- Calling methods on the FileInfo (which internally uses lstat) reveals metadata about files outside the root
The vulnerability requires local access with low privileges, and exploitation complexity is high due to the need to control directory contents and timing. The vulnerability is detailed in the Go.dev Issue Tracker and the Go.dev Vulnerability Report.
Detection Methods for CVE-2026-27139
Indicators of Compromise
- Unusual symbolic link creation patterns within application-managed directories
- Applications using os.Root exhibiting unexpected file system access patterns outside designated root directories
- Log entries showing file metadata access to sensitive system files from sandboxed applications
Detection Strategies
- Monitor for applications using vulnerable Go versions performing directory listing operations with os.Root
- Implement file integrity monitoring on critical system directories to detect unauthorized metadata access patterns
- Review application logs for FileInfo operations that reference paths outside expected root boundaries
- Use static analysis tools to identify Go applications using File.ReadDir or File.Readdir with os.Root
Monitoring Recommendations
- Enable audit logging for file system operations, particularly lstat calls, on sensitive directories
- Monitor for symbolic link creation in directories managed by Go applications using os.Root
- Implement runtime detection for Go applications making file metadata requests outside their designated root paths
How to Mitigate CVE-2026-27139
Immediate Actions Required
- Update Go installations to the latest patched version as referenced in the Go.dev Change Log
- Review applications using os.Root functionality and assess exposure to this vulnerability
- Implement additional application-level path validation when processing FileInfo results from directory listings
- Consider restricting symbolic link creation permissions in directories managed by affected applications
Patch Information
The Go development team has addressed this vulnerability in a security patch. Organizations should review the Golang Announcement for specific version information and upgrade guidance. The fix is tracked in CL 749480.
Workarounds
- Implement additional validation in application code to verify that FileInfo paths remain within expected boundaries before accessing metadata
- Remove or restrict symbolic links within directories used with os.Root operations
- Use file system permissions to prevent creation of symbolic links in sensitive directories
- Consider using alternative sandboxing mechanisms such as chroot, containers, or namespace isolation for stricter file system constraints
# Configuration example - Restrict symbolic link creation in managed directories
# Set immutable attribute on critical directories to prevent symlink attacks
chattr +i /path/to/application/root
# Alternatively, mount with nosymfollow option (if supported)
mount -o remount,nosymfollow /path/to/application/root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
