CVE-2026-27139 is a race condition vulnerability identified in the Go programming language's standard library, specifically within the os package on Unix platforms. The issue arises when applications use File.ReadDir or File.Readdir functions to list directory contents. Due to a race condition, the FileInfo objects returned can reference files outside the root directory initially opened by the File object. This means that metadata retrieved via lstat calls can leak information about files outside the intended directory boundary. However, the vulnerability does not allow reading or writing the actual contents of files outside the root, limiting the scope to metadata exposure only. The vulnerability is classified under CWE-363 (Race Condition), indicating a timing issue that can be exploited to bypass intended access restrictions. The affected Go versions include all versions up to 1.26.0-0. The CVSS v3.1 score is 2.5, reflecting low severity, with attack vector local, high attack complexity, low privileges required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild. The root cause is a race condition in directory listing functions that fail to properly constrain FileInfo references within the root directory, potentially allowing an attacker with local access to gather metadata about files outside the intended scope. This information could be used for further reconnaissance or privilege escalation attempts in complex attack chains.

The primary impact of CVE-2026-27139 is limited confidentiality exposure of filesystem metadata outside the intended root directory. Although the vulnerability does not allow reading or modifying file contents, metadata such as file names, sizes, permissions, and timestamps can be leaked. This information disclosure could assist attackers in mapping the filesystem structure, identifying sensitive files, or planning further attacks. Since exploitation requires local access with low privileges and has high attack complexity, the risk is mitigated in environments with strict access controls. However, in multi-tenant or shared hosting environments where untrusted users have local access, this vulnerability could facilitate reconnaissance. The vulnerability does not affect integrity or availability, and no remote exploitation is possible. Overall, the impact is low but should not be ignored in sensitive or high-security environments.

1. Upgrade Go to a version later than 1.26.0-0 once patches addressing CVE-2026-27139 are released by the Go project. 2. Until patches are available, avoid using File.ReadDir or File.Readdir in security-critical contexts where directory traversal or metadata leakage could be exploited. 3. Implement strict filesystem permissions and access controls to limit local user access to sensitive directories and files. 4. Use containerization or sandboxing to isolate processes and reduce the risk of local privilege escalation or information leakage. 5. Monitor and audit local user activities to detect unusual directory listing or metadata access patterns. 6. Consider application-level validation to ensure that file metadata accessed corresponds strictly to intended directories. 7. Educate developers about the risks of race conditions and encourage secure coding practices when handling filesystem operations.