Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Directory listing on Unix platforms may reveal outside files
UBUNTU-CVE-2026-27139
Summary
A bug in a Unix directory listing function could allow an attacker to see metadata of files outside the intended directory. This is not a security threat to the system's integrity, but it could potentially be used to gather information. To be safe, you should update your software to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | golang-1.24 | All versions | – |
| canonical | golang-1.25 | All versions | – |
Original title
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The imp...
Original description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
- https://ubuntu.com/security/CVE-2026-27139 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-27139 Third Party Advisory
- https://github.com/golang/go/issues/77827 Third Party Advisory
- https://go.dev/cl/749480 Third Party Advisory
- https://go.dev/issue/77827 Third Party Advisory
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk Third Party Advisory
- https://pkg.go.dev/vuln/GO-2026-4602 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026