Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Linux Chmod can operate on unintended external files through symlink attack
DEBIAN-CVE-2026-32282
Summary
This issue affects Linux systems and can occur when a symbolic link to a file outside the root directory is created during a chmod operation. This may allow unauthorized changes to files outside the intended target, but the impact is limited to specific situations where the symbolic link is replaced between the check and operation. Users should be cautious when creating or modifying symbolic links while chmod is running.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | golang-1.15 | All versions | – |
| debian | golang-1.19 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.25 | All versions | – |
| debian | golang-1.26 | All versions | – |
Original title
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root...
Original description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
- https://security-tracker.debian.org/tracker/CVE-2026-32282 Vendor Advisory
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026