data/reports/GO-2026-4984.yaml - vulndb - Git at Google

 id: GO-2026-4984
 modules:
     - module: cmd
       versions:
         - fixed: 1.25.10
         - introduced: 1.26.0-0
         - fixed: 1.26.3
       vulnerable_at: 1.26.2
       packages:
         - package: cmd/go
 summary: Malicious module proxy can bypass checksum database in cmd/go
 description: |-
     A malicious module proxy can exploit a flaw in the go command's validation of
     module checksums to bypass checksum database validation.

     This vulnerability affects any user using an untrusted module proxy (GOMODPROXY)
     or checksum database (GOSUMDB).

     A malicious module proxy can serve altered versions of the Go toolchain. When
     selecting a different version of the Go toolchain than the currently installed
     toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod
     with a toolchain line), the go command will download and execute a toolchain
     provided by the module proxy. A malicious module proxy can bypass checksum
     database validation for this downloaded toolchain.

     Since this vulnerability affects the security of toolchain downloads, setting
     GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go
     toolchain.

     The go tool always validates the hash of a toolchain before executing it, so
     fixed versions will refuse to execute any cached, altered versions of the
     toolchain.

     The go tool trusts go.sum files to contain accurate hashes of the current
     module's dependencies. A malicious proxy exploiting this vulnerability to serve
     an altered module will have caused an incorrect hash to be recorded in the
     go.sum. Users who have configured a non-trusted GOPROXY can determine if they
     have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which
     will revalidate all dependencies of the current module.

     The specific flaw in more detail:

     The go command consults the checksum database to validate downloaded modules,
     when a module is not listed in the go.sum file. It verifies that the module hash
     reported by the checksum database matches the hash of the downloaded module. If,
     however, the checksum database returns a successful response that contains no
     entry for the module, the go command incorrectly permitted validation to
     succeed.

     A module proxy may mirror or proxy the checksum database, in which case the go
     command will not connect to the checksum database directly. Checksums reported
     by the checksum database are cryptographically signed, so a malicious proxy
     cannot alter the reported checksum for a module. However, a proxy which returns
     an empty checksum response, or a checksum response for an unrelated module,
     could cause the go command to proceed as if a downloaded module has been
     validated.
 credits:
     - Mundur (https://github.com/M0nd0R)
 references:
     - fix: https://go.dev/cl/775321
     - report: https://go.dev/issue/79070
     - web: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 cve_metadata:
     id: CVE-2026-42501
     cwe: 'CWE-347: Improper Verification of Cryptographic Signature'
 source:
     id: go-security-team
 review_status: REVIEWED
	id: GO-2026-4984
	modules:
	- module: cmd
	versions:
	- fixed: 1.25.10
	- introduced: 1.26.0-0
	- fixed: 1.26.3
	vulnerable_at: 1.26.2
	packages:
	- package: cmd/go
	summary: Malicious module proxy can bypass checksum database in cmd/go
	description: \|-
	A malicious module proxy can exploit a flaw in the go command's validation of
	module checksums to bypass checksum database validation.

	This vulnerability affects any user using an untrusted module proxy (GOMODPROXY)
	or checksum database (GOSUMDB).

	A malicious module proxy can serve altered versions of the Go toolchain. When
	selecting a different version of the Go toolchain than the currently installed
	toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod
	with a toolchain line), the go command will download and execute a toolchain
	provided by the module proxy. A malicious module proxy can bypass checksum
	database validation for this downloaded toolchain.

	Since this vulnerability affects the security of toolchain downloads, setting
	GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go
	toolchain.

	The go tool always validates the hash of a toolchain before executing it, so
	fixed versions will refuse to execute any cached, altered versions of the
	toolchain.

	The go tool trusts go.sum files to contain accurate hashes of the current
	module's dependencies. A malicious proxy exploiting this vulnerability to serve
	an altered module will have caused an incorrect hash to be recorded in the
	go.sum. Users who have configured a non-trusted GOPROXY can determine if they
	have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which
	will revalidate all dependencies of the current module.

	The specific flaw in more detail:

	The go command consults the checksum database to validate downloaded modules,
	when a module is not listed in the go.sum file. It verifies that the module hash
	reported by the checksum database matches the hash of the downloaded module. If,
	however, the checksum database returns a successful response that contains no
	entry for the module, the go command incorrectly permitted validation to
	succeed.

	A module proxy may mirror or proxy the checksum database, in which case the go
	command will not connect to the checksum database directly. Checksums reported
	by the checksum database are cryptographically signed, so a malicious proxy
	cannot alter the reported checksum for a module. However, a proxy which returns
	an empty checksum response, or a checksum response for an unrelated module,
	could cause the go command to proceed as if a downloaded module has been
	validated.
	credits:
	- Mundur (https://github.com/M0nd0R)
	references:
	- fix: https://go.dev/cl/775321
	- report: https://go.dev/issue/79070
	- web: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
	cve_metadata:
	id: CVE-2026-42501
	cwe: 'CWE-347: Improper Verification of Cryptographic Signature'
	source:
	id: go-security-team
	review_status: REVIEWED