A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Description

Vendor	Product	Versions
golang	go	< 1.24.13, < 1.25.7

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
amazon	amazon linux	cert_advisory	90%
golang	go	cert_advisory	90%
ibm	ibm app connect enterprise	cert_advisory	90%
oracle	oracle linux	cert_advisory	90%
red hat	openshift	cert_advisory	90%

Tier B

BSI Advisories20h ago

→ No new info (linked only)

CVSS 3.18.6 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.24.131.25.7

CWECWE-94

PublishedFeb 5, 2026

Last enriched11h ago

Trending Score25

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack