Vulnerability-Lookup

CVE-2026-32282 (GCVE-0-2026-32282)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Summary

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Severity

6.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763761
https://go.dev/issue/78293
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4864

Impacted products

1 product

Vendor	Product	Version
Go standard library	internal/syscall/unix	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Uuganbayar Lkhamsuren (https://github.com/uug4na)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32282",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:47:42.666766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:56.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "internal/syscall/unix",
          "platforms": [
            "linux"
          ],
          "product": "internal/syscall/unix",
          "programRoutines": [
            {
              "name": "Fchmodat"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Uuganbayar Lkhamsuren (https://github.com/uug4na)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:55.953Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763761"
        },
        {
          "url": "https://go.dev/issue/78293"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4864"
        }
      ],
      "title": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32282",
    "datePublished": "2026-04-08T01:06:55.953Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:20:56.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32282",
      "date": "2026-05-26",
      "epss": "0.0001",
      "percentile": "0.01258"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32282\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-04-08T02:16:03.467\",\"lastModified\":\"2026-04-16T19:15:39.400\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.5,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.5,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.9\",\"matchCriteriaId\":\"C6C9C072-9817-402D-877F-F83584B07017\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.26.0\",\"versionEndExcluding\":\"1.26.2\",\"matchCriteriaId\":\"39FE9BAF-55E9-43AA-B14E-239E7EF1D65D\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/763761\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/78293\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\",\"source\":\"security@golang.org\",\"tags\":[\"Release Notes\",\"Mailing List\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4864\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32282\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T17:47:42.666766Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T17:47:38.773Z\"}}], \"cna\": {\"title\": \"TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix\", \"credits\": [{\"lang\": \"en\", \"value\": \"Uuganbayar Lkhamsuren (https://github.com/uug4na)\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"internal/syscall/unix\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.25.9\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.26.0-0\", \"lessThan\": \"1.26.2\", \"versionType\": \"semver\"}], \"platforms\": [\"linux\"], \"packageName\": \"internal/syscall/unix\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Fchmodat\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/763761\"}, {\"url\": \"https://go.dev/issue/78293\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4864\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-61: UNIX Symbolic Link (Symlink) Following\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-04-08T01:06:55.953Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32282\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T18:20:56.456Z\", \"dateReserved\": \"2026-03-11T16:38:46.556Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-04-08T01:06:55.953Z\", \"assignerShortName\": \"Go\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

alsa-2026:14200

Vulnerability from osv_almalinux

Published

2026-05-06 00:00

Modified

2026-05-06 21:14

Summary

Important: git-lfs security update

Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:14200	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-32280	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://bugzilla.redhat.com/2456339	REPORT
	https://errata.almalinux.org/9/ALSA-2026-14200.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.1-8.el9_7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.  \n\nSecurity Fix(es):  \n\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n  * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:14200",
  "modified": "2026-05-06T21:14:42Z",
  "published": "2026-05-06T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:14200"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456339"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-14200.html"
    }
  ],
  "related": [
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32280"
  ],
  "summary": "Important: git-lfs security update"
}

alsa-2026:16875

Vulnerability from osv_almalinux

Published

2026-05-13 00:00

Modified

2026-05-13 09:18

Summary

Important: git-lfs security update

Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:16875	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32280	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://bugzilla.redhat.com/2456339	REPORT
	https://errata.almalinux.org/8/ALSA-2026-16875.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.1-10.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n  * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:16875",
  "modified": "2026-05-13T09:18:42Z",
  "published": "2026-05-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:16875"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456339"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-16875.html"
    }
  ],
  "related": [
    "CVE-2026-25679",
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32280"
  ],
  "summary": "Important: git-lfs security update"
}

alsa-2026:17075

Vulnerability from osv_almalinux

Published

2026-05-13 00:00

Modified

2026-05-14 08:53

Summary

Important: yggdrasil security update

Details

yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child "worker" process, exchanging data with its worker processes through a D-Bus message broker.

Security Fix(es):

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:17075	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://errata.almalinux.org/10/ALSA-2026-17075.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "yggdrasil"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.8-5.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "yggdrasil-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.8-5.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child \"worker\" process, exchanging data with its worker processes through a D-Bus message broker.  \n\nSecurity Fix(es):  \n\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:17075",
  "modified": "2026-05-14T08:53:13Z",
  "published": "2026-05-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:17075"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-17075.html"
    }
  ],
  "related": [
    "CVE-2026-32282",
    "CVE-2026-32283"
  ],
  "summary": "Important: yggdrasil security update"
}

alsa-2026:19350

Vulnerability from osv_almalinux

Published

2026-05-19 00:00

Modified

2026-05-26 12:28

Summary

Important: git-lfs security update

Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:19350	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32280	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://bugzilla.redhat.com/2456339	REPORT
	https://errata.almalinux.org/9/ALSA-2026-19350.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.1-4.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n  * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:19350",
  "modified": "2026-05-26T12:28:29Z",
  "published": "2026-05-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19350"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456339"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-19350.html"
    }
  ],
  "related": [
    "CVE-2026-25679",
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32280"
  ],
  "summary": "Important: git-lfs security update"
}

alsa-2026:19351

Vulnerability from osv_almalinux

Published

2026-05-19 00:00

Modified

2026-05-26 12:28

Summary

Important: grafana-pcp security update

Details

The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.

Security Fix(es):

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:19351	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://errata.almalinux.org/9/ALSA-2026-19351.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana-pcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.1-15.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.  \n\nSecurity Fix(es):  \n\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:19351",
  "modified": "2026-05-26T12:28:29Z",
  "published": "2026-05-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19351"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-19351.html"
    }
  ],
  "related": [
    "CVE-2026-32282",
    "CVE-2026-32283"
  ],
  "summary": "Important: grafana-pcp security update"
}

alsa-2026:19352

Vulnerability from osv_almalinux

Published

2026-05-19 00:00

Modified

2026-05-26 12:29

Summary

Important: grafana security update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:19352	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-27877	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://bugzilla.redhat.com/2452293	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://errata.almalinux.org/9/ALSA-2026-19352.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.6-22.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.6-22.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB.   \n\nSecurity Fix(es):  \n\n  * grafana: Grafana: Information disclosure of data-source passwords via public dashboards (CVE-2026-27877)\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:19352",
  "modified": "2026-05-26T12:29:02Z",
  "published": "2026-05-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19352"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-27877"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2452293"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-19352.html"
    }
  ],
  "related": [
    "CVE-2026-27877",
    "CVE-2026-32282",
    "CVE-2026-32283"
  ],
  "summary": "Important: grafana security update"
}

alsa-2026:19353

Vulnerability from osv_almalinux

Published

2026-05-19 00:00

Modified

2026-05-26 12:28

Summary

Important: opentelemetry-collector security update

Details

Collector with the supported components for a AlmaLinux build of OpenTelemetry

Security Fix(es):

net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)
github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:19353	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-25679	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32280	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32281	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32282	REPORT
	https://access.redhat.com/security/cve/CVE-2026-32283	REPORT
	https://access.redhat.com/security/cve/CVE-2026-33186	REPORT
	https://access.redhat.com/security/cve/CVE-2026-33810	REPORT
	https://access.redhat.com/security/cve/CVE-2026-34986	REPORT
	https://bugzilla.redhat.com/2445356	REPORT
	https://bugzilla.redhat.com/2449833	REPORT
	https://bugzilla.redhat.com/2455470	REPORT
	https://bugzilla.redhat.com/2456333	REPORT
	https://bugzilla.redhat.com/2456335	REPORT
	https://bugzilla.redhat.com/2456336	REPORT
	https://bugzilla.redhat.com/2456338	REPORT
	https://bugzilla.redhat.com/2456339	REPORT
	https://errata.almalinux.org/9/ALSA-2026-19353.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "opentelemetry-collector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.144.0-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Collector with the supported components for a AlmaLinux build of OpenTelemetry  \n\nSecurity Fix(es):  \n\n  * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)\n  * google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (CVE-2026-33186)\n  * github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n  * crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n  * crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810)\n  * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n  * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n  * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:19353",
  "modified": "2026-05-26T12:28:29Z",
  "published": "2026-05-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19353"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-25679"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32281"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-32283"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-33186"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-33810"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2445356"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2449833"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2455470"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456333"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456335"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456336"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2456339"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-19353.html"
    }
  ],
  "related": [
    "CVE-2026-25679",
    "CVE-2026-33186",
    "CVE-2026-34986",
    "CVE-2026-32281",
    "CVE-2026-33810",
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32280"
  ],
  "summary": "Important: opentelemetry-collector security update"
}

bit-golang-2026-32282

Vulnerability from bitnami_vulndb

Published

2026-04-13 05:43

Modified

2026-04-17 00:10

Summary

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "golang",
        "purl": "pkg:bitnami/golang"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25.9"
            },
            {
              "introduced": "1.26.0-0"
            },
            {
              "fixed": "1.26.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32282"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.",
  "id": "BIT-golang-2026-32282",
  "modified": "2026-04-17T00:10:47.507Z",
  "published": "2026-04-13T05:43:42.625Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://go.dev/cl/763761"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/78293"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4864"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"
}

CERTFR-2026-AVI-0498

Vulnerability from certfr_avis - Published: 2026-04-27 - Updated: 2026-04-27

De multiples vulnérabilités ont été découvertes dans Zabbix Agent2. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Zabbix	Agent	Zabbix agent2 versions 7.4.8 et 7.4.9 sans les derniers correctifs de sécurité

References

Title

Publication Time

CERTFR-2026-AVI-0540

Vulnerability from certfr_avis - Published: 2026-05-06 - Updated: 2026-05-06

De multiples vulnérabilités ont été découvertes dans VMware Tanzu Gemfire. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	VMware	Tanzu Gemfire	Tanzu GemFire Management Console versions antérieures à 1.4.4

References

Title

Publication Time

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32282 (GCVE-0-2026-32282)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from bitnami_vulndb

Solutions

Solutions

Tags

Sightings

Nomenclature