Description
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
References (4)
Core 4
Core References
Patch, Product
https://go.dev/cl/734220
Issue Tracking, Vendor Advisory
https://go.dev/issue/76697
Mailing List, Release Notes
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
Vendor Advisory, Patch
https://pkg.go.dev/vuln/GO-2026-4433
Scores
CVSS v3
8.6
EPSS
0.0001
EPSS Percentile
0.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
golang/go
< 1.24.13
Published
Feb 05, 2026
Tracked Since
Feb 18, 2026