CVE-2026-32282

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Assigner: Go
Reserved: 11.03.2026 Published: 08.04.2026 Updated: 08.04.2026

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Product Status

Vendor	Go standard library
Product	internal/syscall/unix
Versions	Default: unaffected affected from 0 to 1.25.9 (excl.) affected from 1.26.0-0 to 1.26.2 (excl.)

Vendor

Go standard library

Product

internal/syscall/unix

Versions

Default: unaffected

affected from 0 to 1.25.9 (excl.)
affected from 1.26.0-0 to 1.26.2 (excl.)

Credits

Uuganbayar Lkhamsuren (https://github.com/uug4na)

References

Problem Types

CWE-61: UNIX Symbolic Link (Symlink) Following

CVE-2026-32282 PUBLISHED

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Product Status

Credits

References

Problem Types