Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Go Code Build Time Command Injection in SWIG Files
DEBIAN-CVE-2026-27140
Summary
Using SWIG files with 'cgo' and malicious code, attackers can inject commands during Go code builds, potentially leading to code execution. This can happen if developers don't carefully review SWIG files, especially when using 'cgo' functionality. To mitigate, ensure strict control over SWIG file content and verify all files before building Go code.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | golang-1.15 | All versions | – |
| debian | golang-1.19 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.25 | All versions | – |
| debian | golang-1.26 | All versions | – |
Original title
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Original description
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- https://security-tracker.debian.org/tracker/CVE-2026-27140 Vendor Advisory
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026