CVE-2026-27140
Published: 08 April 2026
Summary
CVE-2026-27140 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Golang Go. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like CVE-2026-27140 in the Go cgo/SWIG build process to eliminate the trust layer bypass.
Prohibits developers from building untrusted projects containing malicious SWIG files with 'cgo' names, directly addressing the user interaction required for exploitation.
Deploys malicious code protection on build environments to detect and eradicate smuggled payloads that enable arbitrary code execution during Go cgo compilation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables client-side RCE via malicious SWIG files during Go builds (T1203) and directly facilitates supply-chain compromise of development tooling/dependencies (T1195.001).
NVD Description
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Deeper analysisAI
CVE-2026-27140 affects the Go programming language's build process, specifically when using cgo with SWIG-generated files. The vulnerability arises from SWIG file names containing 'cgo' combined with well-crafted payloads, which bypass a trust layer (CWE-863: Incorrect Authorization). This enables code smuggling and arbitrary code execution at build time. It was published on 2026-04-08 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability remotely with low complexity and no required privileges, but it relies on user interaction, such as a developer building a project from an untrusted source containing malicious SWIG files. Successful exploitation grants arbitrary code execution on the build machine, potentially compromising the entire development environment with high impacts on confidentiality, integrity, and availability.
Mitigation guidance is provided in the Go security advisory GO-2026-4871 (https://pkg.go.dev/vuln/GO-2026-4871), the golang-announce mailing list post (https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU), the associated issue tracker (https://go.dev/issue/78335), and the code change list (https://go.dev/cl/763768).
Details
- CWE(s)