Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.5
File.ReadDir on Unix can reveal files outside intended directory
DEBIAN-CVE-2026-27139
Summary
On Unix systems, a bug in the File.ReadDir function can show you information about files outside of the directory you're looking at. This is a security concern because it could potentially reveal sensitive information, but it doesn't allow reading or writing those files. You should update your Go programming language to the latest version to fix this issue.
What to do
- Update debian golang-1.25 to version 1.25.8-1.
- Update debian golang-1.26 to version 1.26.1-1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | golang-1.15 | All versions | – |
| debian | golang-1.19 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.25 | <= 1.25.8-1 | 1.25.8-1 |
| debian | golang-1.26 | <= 1.26.1-1 | 1.26.1-1 |
Original title
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The imp...
Original description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
- https://security-tracker.debian.org/tracker/CVE-2026-27139 Vendor Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026