PT-2026-38570 · Google · Go

Mundur

·

Published

2026-05-01

·

Updated

2026-05-21

·

CVE-2026-42501

CVSS v2.0

7.6

High

VectorAV:N/AC:H/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Go (affected versions not specified)
Description A flaw in the go command's validation of module checksums allows a malicious module proxy to bypass checksum database validation. This occurs when the checksum database returns a successful response that contains no entry for the module, leading the go command to incorrectly permit validation to succeed. Consequently, a malicious proxy can serve altered versions of the Go toolchain or modules. This is particularly critical when a different toolchain version is selected via the GOTOOLCHAIN environment variable, a go.work file, or a go.mod file, as the go command will download and execute the toolchain provided by the proxy. The issue affects users utilizing an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB).
Recommendations Upgrade the base Go toolchain. Users with a non-trusted GOPROXY can revalidate all dependencies of the current module by running "rm go.sum ; go mod tidy ; go mod verify".

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

BDU:2026-08061
BIT-GOLANG-2026-42501
CLEANSTART-2026-AN32474
CLEANSTART-2026-AP95632
CLEANSTART-2026-AQ65185
CLEANSTART-2026-AY89602
CLEANSTART-2026-BD19566
CLEANSTART-2026-BG69533
CLEANSTART-2026-BN09969
CLEANSTART-2026-BS27946
CLEANSTART-2026-CD71342
CLEANSTART-2026-CH40794
CLEANSTART-2026-CK61704
CLEANSTART-2026-CR00119
CLEANSTART-2026-DH72490
CLEANSTART-2026-DM19620
CLEANSTART-2026-EI06494
CLEANSTART-2026-GB83728
CLEANSTART-2026-GE45898
CLEANSTART-2026-GJ69402
CLEANSTART-2026-GQ00159
CLEANSTART-2026-GY76045
CLEANSTART-2026-GZ35045
CLEANSTART-2026-IP78312
CLEANSTART-2026-KA21986
CLEANSTART-2026-KL61187
CLEANSTART-2026-KO66630
CLEANSTART-2026-LA67881
CLEANSTART-2026-LG79681
CLEANSTART-2026-LI56163
CLEANSTART-2026-MI82983
CLEANSTART-2026-MJ60235
CLEANSTART-2026-MK07381
CLEANSTART-2026-ML42911
CLEANSTART-2026-MV81821
CLEANSTART-2026-MX15076
CLEANSTART-2026-NT10973
CLEANSTART-2026-OD56729
CLEANSTART-2026-OF37807
CLEANSTART-2026-OH43332
CLEANSTART-2026-OX06093
CLEANSTART-2026-PB32291
CLEANSTART-2026-PK19530
CLEANSTART-2026-PV53006
CLEANSTART-2026-QP84300
CLEANSTART-2026-QS87161
CLEANSTART-2026-QU88766
CLEANSTART-2026-RD75979
CLEANSTART-2026-RX06063
CLEANSTART-2026-RZ44006
CLEANSTART-2026-RZ88142
CLEANSTART-2026-SE34232
CLEANSTART-2026-SL86558
CLEANSTART-2026-TD06078
CLEANSTART-2026-TD94714
CLEANSTART-2026-TH33219
CLEANSTART-2026-TK06108
CLEANSTART-2026-TL66481
CLEANSTART-2026-UY49411
CLEANSTART-2026-VJ54611
CLEANSTART-2026-VU08393
CLEANSTART-2026-WB86581
CVE-2026-42501
GO-2026-4984
OPENSUSE-SU-2026:10723-1
OPENSUSE-SU-2026:10741-1
OPENSUSE-SU-2026:10755-1

Affected Products

Go