SWIG Code Generation in Go Allows Malicious Code at Build Time

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

SWIG Code Generation in Go Allows Malicious Code at Build Time

GO-2026-4871 CVE-2026-27140

Summary

A bug in the way Go uses SWIG to generate code can allow attackers to inject malicious code into a project during the build process. This could potentially allow an attacker to execute arbitrary code on the system. To fix this, update to the latest version of the Go command-line tool.

What to do

Update toolchain to version 1.26.2.

Affected software

Vendor	Product	Affected versions	Fix available
–	toolchain	> 1.26.0-0 , <= 1.26.2	1.26.2

Original title

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Original description

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

https://go.dev/cl/763768 Patch
https://go.dev/issue/78335 Third Party Advisory
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU URL
https://pkg.go.dev/vuln/GO-2026-4871

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026