{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-61732","assignerOrgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","state":"PUBLISHED","assignerShortName":"Go","dateReserved":"2025-09-30T15:05:03.606Z","datePublished":"2026-02-05T03:42:26.392Z","dateUpdated":"2026-07-09T12:10:06.040Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","shortName":"Go","dateUpdated":"2026-02-05T03:42:26.392Z"},"title":"Potential code smuggling via doc comments in cmd/cgo","descriptions":[{"lang":"en","value":"A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary."}],"affected":[{"vendor":"Go toolchain","product":"cmd/cgo","collectionURL":"https://pkg.go.dev","packageName":"cmd/cgo","versions":[{"version":"0","lessThan":"1.24.13","status":"affected","versionType":"semver"},{"version":"1.25.0-0","lessThan":"1.25.7","status":"affected","versionType":"semver"}],"defaultStatus":"unaffected"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}],"references":[{"url":"https://go.dev/cl/734220"},{"url":"https://go.dev/issue/76697"},{"url":"https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"},{"url":"https://pkg.go.dev/vuln/GO-2026-4433"}],"credits":[{"lang":"en","value":"RyotaK (https://ryotak.net) of GMO Flatt Security Inc."}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-94","lang":"en","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}],"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":8.6,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-02-05T14:56:35.952364Z","id":"CVE-2025-61732","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-05T14:57:44.851Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.1"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_aus:8.2::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream AUS (v. 8.2)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_aus:8.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream AUS (v.8.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_aus:8.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream AUS (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:8.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_tus:8.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream TUS (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:8.8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.8.8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_tus:8.8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream TUS (v.8.8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.0::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.0)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.2::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.2)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.12::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.12","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.13::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.13","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.14::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.14","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.15::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.15","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.16::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.17::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.17","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.18::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.18","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.19::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.19","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4.20::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4.20","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3.26::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces (RHOSDS) 3.26","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:2.6::el8"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 2.6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.0::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.1::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.2::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.2","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"}],"datePublic":"2026-02-05T03:42:26.392Z","descriptions":[{"lang":"en","value":"A flaw was found in Go's 'cgo tool'. This vulnerability arises from a discrepancy in how Go and C/C++ comments are parsed, which allows for malicious code to be hidden within comments and then \"smuggled\" into the compiled `cgo` binary. An attacker could exploit this to embed and execute arbitrary code, potentially leading to significant system compromise."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-61732"},{"name":"RHBZ#2437016","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437016"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61732.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3192"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2706"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2708"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3468"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3470"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3489"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3471"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3473"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3472"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3469"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3193"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2709"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7385"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7291"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:12282"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14100"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21691"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:15091"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14774"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10104"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:17598"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8448"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:4434"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3855"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2844"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3559"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3556"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5948"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5950"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5952"}],"solutions":[{"lang":"en","value":"RHSA-2026:3192: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:2706: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:2708: Red Hat Enterprise Linux AppStream (v. 8)"},{"lang":"en","value":"RHSA-2026:3468: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"},{"lang":"en","value":"RHSA-2026:3470: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"},{"lang":"en","value":"RHSA-2026:3489: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"},{"lang":"en","value":"RHSA-2026:3471: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"},{"lang":"en","value":"RHSA-2026:3473: Red Hat Enterprise Linux AppStream E4S (v.9.0)"},{"lang":"en","value":"RHSA-2026:3472: Red Hat Enterprise Linux AppStream E4S (v.9.2)"},{"lang":"en","value":"RHSA-2026:3469: Red Hat Enterprise Linux AppStream EUS (v.9.4)"},{"lang":"en","value":"RHSA-2026:3193: Red Hat Enterprise Linux AppStream EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:2709: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:7385: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:7291: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:12282: Red Hat OpenShift Container Platform 4.12"},{"lang":"en","value":"RHSA-2026:14100: Red Hat OpenShift Container Platform 4.12"},{"lang":"en","value":"RHSA-2026:21691: Red Hat OpenShift Container Platform 4.13"},{"lang":"en","value":"RHSA-2026:15091: Red Hat OpenShift Container Platform 4.14"},{"lang":"en","value":"RHSA-2026:14774: Red Hat OpenShift Container Platform 4.15"},{"lang":"en","value":"RHSA-2026:10104: Red Hat OpenShift Container Platform 4.16"},{"lang":"en","value":"RHSA-2026:17598: Red Hat OpenShift Container Platform 4.17"},{"lang":"en","value":"RHSA-2026:8448: Red Hat OpenShift Container Platform 4.18"},{"lang":"en","value":"RHSA-2026:4434: Red Hat OpenShift Container Platform 4.19"},{"lang":"en","value":"RHSA-2026:3855: Red Hat OpenShift Container Platform 4.20"},{"lang":"en","value":"RHSA-2026:2844: Red Hat OpenShift Dev Spaces (RHOSDS) 3.26"},{"lang":"en","value":"RHSA-2026:3559: Red Hat OpenShift Service Mesh 2.6"},{"lang":"en","value":"RHSA-2026:3556: Red Hat OpenShift Service Mesh 2.6"},{"lang":"en","value":"RHSA-2026:5948: Red Hat OpenShift Service Mesh 3.0"},{"lang":"en","value":"RHSA-2026:5950: Red Hat OpenShift Service Mesh 3.1"},{"lang":"en","value":"RHSA-2026:5952: Red Hat OpenShift Service Mesh 3.2"}],"timeline":[{"lang":"en","time":"2026-02-05T05:00:47.678Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-05T03:42:26.392Z","value":"Made public."}],"title":"cmd/cgo: Go cgo: Code smuggling due to comment parsing discrepancy","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:10:06.040Z"}}]}}