Cyber Resilience

CVE-2026-27140

HighUpdated

Published: 08 April 2026

Published
08 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27140 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Golang Go. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27140 affects the Go programming language's build process, specifically when using cgo with SWIG-generated files. The vulnerability arises from SWIG file names containing 'cgo' combined with well-crafted payloads, which bypass a trust layer (CWE-863: Incorrect Authorization). This enables code smuggling and arbitrary code execution at build time. It was published on 2026-04-08 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely with low complexity and no required privileges, but it relies on user interaction, such as a developer building a project from an untrusted source containing malicious SWIG files. Successful exploitation grants arbitrary code execution on the build machine, potentially compromising the entire development environment with high impacts on confidentiality, integrity, and availability.

Mitigation guidance is provided in the Go security advisory GO-2026-4871 (https://pkg.go.dev/vuln/GO-2026-4871), the golang-announce mailing list post (https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU), the associated issue tracker (https://go.dev/issue/78335), and the code change list (https://go.dev/cl/763768).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability enables client-side RCE via malicious SWIG files during Go builds (T1203) and directly facilitates supply-chain compromise of development tooling/dependencies (T1195.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61732Same product: Golang Go
CVE-2026-27143Same product: Golang Go
CVE-2025-61731Same product: Golang Go
CVE-2026-33810Same product: Golang Go
CVE-2025-68121Same product: Golang Go
CVE-2026-27144Same product: Golang Go
CVE-2026-27137Same product: Golang Go
CVE-2025-61726Same product: Golang Go
CVE-2026-32283Same product: Golang Go
CVE-2026-25679Same product: Golang Go

Affected Assets

golang
go
≤ 1.25.9 · 1.26.0 — 1.26.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2026-27140 in the Go cgo/SWIG build process to eliminate the trust layer bypass.

prevent

Prohibits developers from building untrusted projects containing malicious SWIG files with 'cgo' names, directly addressing the user interaction required for exploitation.

preventdetect

Deploys malicious code protection on build environments to detect and eradicate smuggled payloads that enable arbitrary code execution during Go cgo compilation.

References