Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.5
Unix File Listing Can Access Unintended File Metadata
CVE-2026-27139
BIT-golang-2026-27139
Summary
A bug in the way Unix file listings work allows unauthorized access to file information outside the intended directory. This means that an attacker could potentially view file metadata from other parts of the file system, but not access or modify those files. You should update your software to the latest version to fix this issue.
What to do
- Update stdlib to version 1.26.1.
- Update golang to version 1.26.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | stdlib | > 1.26.0-0 , <= 1.26.1 | 1.26.1 |
| – | golang | > 1.26.0-0 , <= 1.26.1 | 1.26.1 |
Original title
FileInfo can escape from a Root in os
Original description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.
The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026