CVE-2026-27139 is a race condition vulnerability identified in the Go standard library's os package affecting Unix platforms. The issue arises during directory listing operations performed via File.ReadDir or File.Readdir functions. Normally, these functions return FileInfo objects representing files within the directory root opened by the application. However, due to a race condition (CWE-363), the returned FileInfo can reference files outside the intended root directory. This occurs because the underlying implementation does not adequately enforce directory boundaries when resolving symbolic links or concurrent filesystem changes occur during the listing process. The vulnerability allows an attacker or malicious actor with access to the filesystem to cause the application to reveal metadata (such as file attributes, permissions, timestamps) of arbitrary files outside the root directory. Importantly, this does not permit reading or writing the actual file contents outside the root, limiting the scope to metadata exposure only. The affected versions include all Go releases up to 1.26.0-0. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The root cause is a race condition that breaks the assumption that directory listing functions are confined to the opened root, potentially misleading applications relying on these APIs for secure filesystem operations. This vulnerability is particularly relevant for applications that enforce security boundaries based on directory roots and rely on Go's os package for filesystem interactions on Unix systems.

The primary impact of CVE-2026-27139 is unauthorized disclosure of filesystem metadata outside the intended directory root. While the vulnerability does not allow reading or modifying file contents, metadata exposure can still be sensitive, revealing file existence, permissions, ownership, and timestamps. This information can aid attackers in reconnaissance, privilege escalation, or crafting further attacks. Organizations using Go for Unix-based applications that perform directory listings and rely on metadata for security decisions or auditing may be affected. The risk is higher in multi-tenant environments, containerized systems, or applications enforcing strict filesystem boundaries. Since the vulnerability does not allow content access or modification, the impact on confidentiality and integrity is limited but non-negligible. Availability is not affected. The lack of known exploits and the requirement for local filesystem access or attacker control over directory contents reduce the immediate threat level. However, in environments where Go applications handle sensitive filesystem operations, this vulnerability could be leveraged as part of a broader attack chain.

To mitigate CVE-2026-27139, organizations should: 1) Monitor for and apply updates to the Go standard library once a patch addressing this vulnerability is released, as no patch links are currently available. 2) Audit application code that uses File.ReadDir or File.Readdir on Unix platforms to ensure it does not implicitly trust FileInfo metadata or assume directory boundaries are strictly enforced by these functions. 3) Implement additional application-level checks to verify that file paths or metadata returned during directory listings reside within the expected root directory before processing. 4) Employ filesystem permissions and access controls to limit untrusted users' ability to manipulate directory contents or symbolic links that could trigger this race condition. 5) Consider using alternative libraries or custom directory traversal code that explicitly enforces root directory boundaries if immediate patching is not feasible. 6) Increase logging and monitoring around filesystem metadata access to detect anomalous behavior that could indicate exploitation attempts. These steps go beyond generic advice by focusing on code auditing, additional validation, and operational controls tailored to the nature of this race condition vulnerability.