CVE-2025-61732

HIGH EPSS 10.6%
Published Feb 5, 20264mo ago · Modified Jun 17, 20261w ago
8.6 CVSS 3.1
High
Find Similar
Published Feb 5, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

CVSS Details

Base Score
8.6
Exploitability
1.8
Impact
6.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
10.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 2

VendorProductVersionRange
golanggo* <1.24.13
golanggo*≥1.25.0  –  <1.25.7

References 4

  • go.dev https://go.dev/cl/734220
    PatchProduct
  • go.dev https://go.dev/issue/76697
    Issue TrackingVendor Advisory
  • groups.google.com https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
    Mailing ListRelease Notes
  • pkg.go.dev https://pkg.go.dev/vuln/GO-2026-4433
    PatchVendor Advisory

Remediation

  • go.dev https://go.dev/cl/734220
    PatchProduct
  • pkg.go.dev https://pkg.go.dev/vuln/GO-2026-4433
    PatchVendor Advisory