Multiple vulnerabilities in Go programming language
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-22867 CVE-2025-22866 |
| CWE-ID | CWE-94 CWE-401 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Go programming language Universal components / Libraries / Scripting languages |
| Vendor |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU103933
Risk: Low
CVSSv4.0: 4.1 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-22867
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. A local user can trigger code execution while building a Go module which contains CGO when using the Apple version of ld.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGo programming language: 1.24 rc2
CPE2.3 External linkshttps://go.dev/cl/646996
https://go.dev/issue/71476
https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y
https://pkg.go.dev/vuln/GO-2025-3428
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU103932
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-22866
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a small number of bits of secret scalars are leaked on the ppc64le architecture in crypto/internal/nistec. A local user can gain access to potentially sensitive information.
Install updates from vendor's website.
Vulnerable software versionsGo programming language: 1.20 - 1.24 rc2
CPE2.3https://go.dev/cl/643735
https://go.dev/issue/71383
https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
https://pkg.go.dev/vuln/GO-2025-3447
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
