CVE-2025-61732

HIGH

GO < 1.24.13 - Code Injection

Title source: rule
STIX 2.1

Description

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

References (39)

Core 39
Core References
Patch, Product
https://go.dev/cl/734220
Issue Tracking, Vendor Advisory
https://go.dev/issue/76697
Vendor Advisory, Patch
https://pkg.go.dev/vuln/GO-2026-4433

Scores

CVSS v3 8.6
EPSS 0.0047
EPSS Percentile 37.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (3)
Go toolchain/cmd/cgo < 1.24.13
Go toolchain/cmd/cgo 1.25.0-0 - 1.25.7
golang/go < 1.24.13
Published Feb 05, 2026
Tracked Since Feb 18, 2026