{"id":"GO-2026-4433","summary":"Potential code smuggling via doc comments in cmd/cgo","details":"A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.","aliases":["BIT-golang-2025-61732","CVE-2025-61732"],"modified":"2026-05-15T10:59:24.501827064Z","published":"2026-02-05T03:10:52Z","related":["CGA-xcpc-gm23-prj9","RHSA-2026:2706","RHSA-2026:2708","RHSA-2026:2709","RHSA-2026:3192","RHSA-2026:3193","RHSA-2026:3468","RHSA-2026:3469","RHSA-2026:3470","RHSA-2026:3471","RHSA-2026:3472","RHSA-2026:3473","RHSA-2026:3489","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4433"},"references":[{"type":"FIX","url":"https://go.dev/cl/734220"},{"type":"REPORT","url":"https://go.dev/issue/76697"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.13"},{"introduced":"1.25.0-0"},{"fixed":"1.25.7"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/cgo"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4433.json"}}],"schema_version":"1.7.3","credits":[{"name":"RyotaK (https://ryotak.net) of GMO Flatt Security Inc."}]}