Description
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
References (6)
Core 6
Core References
Various Sources
https://go.dev/cl/267277
Various Sources
https://pkg.go.dev/vuln/GO-2022-0476
Issue Tracking
https://go.dev/issue/42556
Scores
CVSS v3
7.5
EPSS
0.0027
EPSS Percentile
50.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
golang/go
< 1.14.12
Published
Nov 18, 2020
Tracked Since
Feb 18, 2026