A security vulnerability CVE-2026-27139 has been identified in the Go programming language. This issue exists in the Go standard library (os package) and may cause directory listing operations to reference files outside the intended directory under certain conditions.

The vulnerability occurs due to a race condition in directory listing operations in the Go os package. Under specific conditions, the returned file metadata may reference files outside the expected directory.

Upgrade Go to a patched version.

Recommended versions:

• Go 1.25.8 or later

• Go 1.26.1 or later

References:

1. National Vulnerability Database - CVE-2026-27139

2. CVE Record : CVE-2026-27139