{"id":"GO-2026-4339","summary":"Arbitrary file write using cgo pkg-config directive in cmd/go","details":"Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content.\n\nThe \"#cgo pkg-config:\" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a \"--log-file\" argument to this directive, causing pkg-config to write to an attacker-controlled location.","aliases":["BIT-golang-2025-61731","CVE-2025-61731"],"modified":"2026-04-08T10:29:15.968789072Z","published":"2026-01-28T19:07:59Z","related":["CGA-qf8r-r99j-68mj","RHSA-2026:5941","RHSA-2026:5942","RHSA-2026:5943","RHSA-2026:5944","RHSA-2026:6949"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4339"},"references":[{"type":"FIX","url":"https://go.dev/cl/736711"},{"type":"REPORT","url":"https://go.dev/issue/77100"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.12"},{"introduced":"1.25.0"},{"fixed":"1.25.6"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4339.json"}}],"schema_version":"1.7.5","credits":[{"name":"RyotaK (https://ryotak.net) of GMO Flatt Security Inc."}]}