{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-61732", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2025-09-30T15:05:03.606Z", "datePublished": "2026-02-05T03:42:26.392Z", "dateUpdated": "2026-07-09T12:10:06.040Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-02-05T03:42:26.392Z" }, "title": "Potential code smuggling via doc comments in cmd/cgo", "descriptions": [ { "lang": "en", "value": "A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary." } ], "affected": [ { "vendor": "Go toolchain", "product": "cmd/cgo", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/cgo", "versions": [ { "version": "0", "lessThan": "1.24.13", "status": "affected", "versionType": "semver" }, { "version": "1.25.0-0", "lessThan": "1.25.7", "status": "affected", "versionType": "semver" } ], "defaultStatus": "unaffected" } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')" } ] } ], "references": [ { "url": "https://go.dev/cl/734220" }, { "url": "https://go.dev/issue/76697" }, { "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk" }, { "url": "https://pkg.go.dev/vuln/GO-2026-4433" } ], "credits": [ { "lang": "en", "value": "RyotaK (https://ryotak.net) of GMO Flatt Security Inc." } ] }, "adp": [ { "problemTypes": [ { "descriptions": [ { "type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')" } ] } ], "metrics": [ { "cvssV3_1": { "scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH" } }, { "other": { "type": "ssvc", "content": { "timestamp": "2026-02-05T14:56:35.952364Z", "id": "CVE-2025-61732", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:57:44.851Z" } }, { "affected": [ { "cpes": [ "cpe:/o:redhat:enterprise_linux_eus:10.0" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:10.1" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 10)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 8)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_aus:8.2::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:8.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_tus:8.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:8.8::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_tus:8.8::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:9.0::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:9.2::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus:9.4::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus:9.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 9)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:hummingbird:1" ], "defaultStatus": "affected", "product": "Red Hat Hardened Images", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.12::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.12", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.13::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.13", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.14::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.15::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.18::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.18", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.19::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.19", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4.20::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.20", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_devspaces:3.26::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Dev Spaces (RHOSDS) 3.26", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:2.6::el8" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 2.6", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.0::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.0", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.1::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.1", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.2::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" } ], "datePublic": "2026-02-05T03:42:26.392Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in Go's 'cgo tool'. This vulnerability arises from a discrepancy in how Go and C/C++ comments are parsed, which allows for malicious code to be hidden within comments and then \"smuggled\" into the compiled `cgo` binary. An attacker could exploit this to embed and execute arbitrary code, potentially leading to significant system compromise." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS" } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2025-61732" }, { "name": "RHBZ#2437016", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437016" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61732.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3192" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:2706" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:2708" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3468" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3470" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3489" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3471" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3473" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3472" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3469" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3193" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:2709" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:7385" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:7291" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:12282" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:14100" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:21691" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:15091" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:14774" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:10104" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:17598" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:8448" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:4434" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3855" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:2844" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3559" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3556" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:5948" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:5950" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:5952" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:3192: Red Hat Enterprise Linux AppStream EUS (v. 10.0)" }, { "lang": "en", "value": "RHSA-2026:2706: Red Hat Enterprise Linux AppStream (v. 10)" }, { "lang": "en", "value": "RHSA-2026:2708: Red Hat Enterprise Linux AppStream (v. 8)" }, { "lang": "en", "value": "RHSA-2026:3468: Red Hat Enterprise Linux AppStream AUS (v. 8.2)" }, { "lang": "en", "value": "RHSA-2026:3470: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)" }, { "lang": "en", "value": "RHSA-2026:3489: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)" }, { "lang": "en", "value": "RHSA-2026:3471: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)" }, { "lang": "en", "value": "RHSA-2026:3473: Red Hat Enterprise Linux AppStream E4S (v.9.0)" }, { "lang": "en", "value": "RHSA-2026:3472: Red Hat Enterprise Linux AppStream E4S (v.9.2)" }, { "lang": "en", "value": "RHSA-2026:3469: Red Hat Enterprise Linux AppStream EUS (v.9.4)" }, { "lang": "en", "value": "RHSA-2026:3193: Red Hat Enterprise Linux AppStream EUS (v.9.6)" }, { "lang": "en", "value": "RHSA-2026:2709: Red Hat Enterprise Linux AppStream (v. 9)" }, { "lang": "en", "value": "RHSA-2026:7385: Red Hat Hardened Images" }, { "lang": "en", "value": "RHSA-2026:7291: Red Hat Hardened Images" }, { "lang": "en", "value": "RHSA-2026:12282: Red Hat OpenShift Container Platform 4.12" }, { "lang": "en", "value": "RHSA-2026:14100: Red Hat OpenShift Container Platform 4.12" }, { "lang": "en", "value": "RHSA-2026:21691: Red Hat OpenShift Container Platform 4.13" }, { "lang": "en", "value": "RHSA-2026:15091: Red Hat OpenShift Container Platform 4.14" }, { "lang": "en", "value": "RHSA-2026:14774: Red Hat OpenShift Container Platform 4.15" }, { "lang": "en", "value": "RHSA-2026:10104: Red Hat OpenShift Container Platform 4.16" }, { "lang": "en", "value": "RHSA-2026:17598: Red Hat OpenShift Container Platform 4.17" }, { "lang": "en", "value": "RHSA-2026:8448: Red Hat OpenShift Container Platform 4.18" }, { "lang": "en", "value": "RHSA-2026:4434: Red Hat OpenShift Container Platform 4.19" }, { "lang": "en", "value": "RHSA-2026:3855: Red Hat OpenShift Container Platform 4.20" }, { "lang": "en", "value": "RHSA-2026:2844: Red Hat OpenShift Dev Spaces (RHOSDS) 3.26" }, { "lang": "en", "value": "RHSA-2026:3559: Red Hat OpenShift Service Mesh 2.6" }, { "lang": "en", "value": "RHSA-2026:3556: Red Hat OpenShift Service Mesh 2.6" }, { "lang": "en", "value": "RHSA-2026:5948: Red Hat OpenShift Service Mesh 3.0" }, { "lang": "en", "value": "RHSA-2026:5950: Red Hat OpenShift Service Mesh 3.1" }, { "lang": "en", "value": "RHSA-2026:5952: Red Hat OpenShift Service Mesh 3.2" } ], "timeline": [ { "lang": "en", "time": "2026-02-05T05:00:47.678Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-02-05T03:42:26.392Z", "value": "Made public." } ], "title": "cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy", "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-09T12:10:06.040Z" } } ] } }