TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Description

A vulnerability categorized as critical has been discovered in syscall-unix up to 1.25.8/1.26.1 on Go. Executing a manipulation of the argument AT_SYMLINK_NOFOLLOW can lead to symlink following. The attack is restricted to local execution.

Affected Products

Vendor	Product	Versions
go standard library	internal/syscall/unix	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-32282 | syscall-unix up to 1.25.8/1.26.1 on Go Root.Chmod AT_SYMLINK_NOFOLLOW symlink

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.25.91.26.2

PublishedApr 8, 2026

Last enriched2d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated severity to CRITICAL, added affected versions 1.25.8 and 1.26.1, and provided a new description with critical details about the vulnerability.

descriptionseverityaffectedVersionstags

via VulDB

v12d ago

Initial creation

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History