Vulnerability Directory | CVE-2026-32282

Overview

Go is the open-source programming language designed at Google and maintained by the Go team and a broad community of contributors. The standard library os package exposes the Root type, a sandboxed filesystem handle introduced to constrain operations to a single directory tree. os.Root is intended as a safety boundary when an application processes untrusted paths.

A symlink-following vulnerability (CVE-2026-32282) in Root.Chmod on Linux allows a local attacker who can race the operation to apply file mode changes to targets outside the intended root. The flaw reaches internal/syscall/unix.Fchmodat, which assumes the Linux fchmodat syscall honors AT_SYMLINK_NOFOLLOW; the kernel silently ignores that flag for chmod, so an attacker who substitutes a symlink between the pre-call check and the syscall can redirect chmod to an arbitrary target.

Per OWASP: a Time-of-Check to Time-of-Use (TOCTOU) race condition occurs when the security state of a resource changes between when a program checks it and when the program acts on it, allowing an attacker to substitute the resource and bypass the check.

This issue affects Go versions prior to 1.25.9 and Go 1.26.0 through 1.26.1, and reaches Ingress NGINX Controller deployments through the Go toolchain the controller binary is compiled with. HeroDevs has resolved it in NES for Ingress NGINX 1.15.2 by rebuilding the controller against Go 1.26.2.

‍

Why this matters for Ingress NGINX deployments

Ingress NGINX is a Go binary that wraps NGINX. Its supply chain includes the Go standard library and the Go toolchain itself. Even if zero new CVEs were ever filed against ingress-nginx code, the project's CVE exposure would continue to climb because the Go toolchain releases security patches roughly every six to eight weeks, and each patch fixes vulnerabilities in compiled binaries until the build is redone.

That redo is exactly what stopped happening when the Kubernetes project retired Ingress NGINX in March 2026. The Go 1.26.2 release that resolved CVE-2026-32282 shipped April 7, 2026, well after the upstream EOL. No upstream Ingress NGINX release will rebase the build to consume it. Every cluster running upstream ingress-nginx v1.15.1 (or earlier) ships a controller binary that links a Go runtime with the symlink-following bug.

NES for Ingress NGINX 1.15.2 is built on upstream ingress-nginx v1.15.1 with the toolchain upgraded from Go 1.26.1 to Go 1.26.2 and the binary recompiled. The container image and Helm chart are drop-in replacements for the upstream v1.15.1 build.

‍

Details

Module Info

Product: Go programming language standard library; build-time dependency of Ingress NGINX Controller
Affected components: os.Root.Chmod, internal/syscall/unix.Fchmodat
Affected versions: Go <1.25.9 and 1.26.0 through 1.26.1; Ingress NGINX binaries compiled with those toolchains
Upstream GitHub repository: <https://github.com/golang/go>
Published artifacts (NES):

Container image: registry.nes.herodevs.com/neverendingsupport/ingress-nginx-controller:v1.15.1-nes-1.15.2
Helm chart: HeroDevs/ingress-nginx --version 0.0.2 (see helm-charts documentation)
Release notes: docs.herodevs.com/ingress-nginx/release-notes

Distribution channels: registry.nes.herodevs.com, HeroDevs Helm chart repository
Fixed in:

Go 1.25.9 and Go 1.26.2 (upstream)
NES for Ingress NGINX 1.15.2 (April 20, 2026), recompiled against Go 1.26.2

Vulnerability Info

This Medium-severity vulnerability is found in the os.Root.Chmod path of the Go standard library on Linux.

The os.Root API was introduced to give Go programs a sandboxed filesystem handle. Operations against a Root are expected to fail when a path resolves to a target outside the directory the Root was opened on. To enforce this for Chmod, the implementation first inspects the target with lstat semantics, refuses operation if the target is a symlink that escapes the root, and passes AT_SYMLINK_NOFOLLOW on the underlying syscall so that fchmodat operates on the link itself rather than its target.

The Linux fchmodat(2) syscall does not honor AT_SYMLINK_NOFOLLOW for chmod: the kernel silently follows the symlink. Combined with the gap between the lstat check and the fchmodat call, an attacker who can race the operation can replace the target with a symlink pointing outside the Root and have chmod applied to the symlink target.

Threat model for Ingress NGINX clusters: exploitation requires local access to a Pod or host where the controller (or another Go binary built with a vulnerable toolchain) calls Root.Chmod, and the ability to win a TOCTOU race during that call. The attacker need not have access outside the Root themselves; the privileged Root holder performs the chmod on the attacker's behalf. While the controller's primary path is not Root.Chmod, the bug class affects every Go binary in the cluster compiled with the vulnerable toolchain (admission webhooks, sidecars, init containers, operators), so the practical scope is "every Go-built component until each is rebuilt".

When successfully exploited, this vulnerability can lead to:

Unauthorized permission changes on files outside the Go program's intended sandbox
Privilege escalation when sensitive system files become writable or executable
Subversion of security guarantees that downstream code relies on the os.Root abstraction to provide

‍

Proof Of Concept

A reference reproduction is described in the upstream report at <https://go.dev/issue/78293> and the fix at <https://go.dev/cl/763761>.

‍

Mitigation

OSS Users

Users of Go and upstream Ingress NGINX should apply one of the following mitigations:

Upgrade to Go 1.25.9 or Go 1.26.2 and rebuild affected applications and container images.
If an upgrade cannot be deployed immediately, avoid invoking Root.Chmod on paths that an unprivileged process can replace, and consider performing chmod operations against an O_PATH file descriptor opened with O_NOFOLLOW from a known-safe parent.
Reduce blast radius by running services that use os.Root under dedicated, low-privilege accounts and on filesystems that untrusted local users cannot write into.
For Ingress NGINX specifically, no upstream release will rebase against Go 1.26.2 because the project retired in March 2026. Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched Ingress NGINX build.

NES Customers

HeroDevs Never Ending Support for Ingress NGINX has resolved CVE-2026-32282 in NES for Ingress NGINX 1.15.2 by rebuilding the controller against Go 1.26.2. The release ships as a drop-in replacement for upstream ingress-nginx v1.15.1:

Pull the patched container image: registry.nes.herodevs.com/neverendingsupport/ingress-nginx-controller:v1.15.1-nes-1.15.2
Or upgrade via the public Helm chart: HeroDevs/ingress-nginx --version 0.0.2 (helm-charts documentation)
VEX statements ship with the release so scanners that consume OpenVEX or CycloneDX VEX surface the patched status instead of leaving CVE-2026-32282 as an open finding.

‍

Compliance impact

Toolchain CVEs do not get widespread attention but propagate into every Go binary built before the patch. For Ingress NGINX at the cluster edge, that surfaces in scans and audits. Several frameworks make the gap acute:

The EU Cyber Resilience Act's Article 14 reporting obligations begin September 11, 2026; "the upstream project no longer ships fixes" is not a valid answer.
DORA's ICT third-party risk requirements have been in force since January 2025.
PCI DSS 4.0 expects continuous evidence that components receive security patches.
FedRAMP authorizations carry continuous monitoring obligations.

The NES release ships a documented patch trail plus VEX statements that scanners consume programmatically.

‍

Taking Action

If you operate Go services that use os.Root on Linux as a security boundary, upgrade to Go 1.25.9 or 1.26.2 immediately. For Ingress NGINX deployments specifically, the upstream project will not ship a release that picks up Go 1.26.2 because it retired in March 2026 and is in dependency-CVE drift. NES for Ingress NGINX 1.15.2 is the patched build for clusters that cannot complete a Gateway API migration before regulatory deadlines. Pull the 1.15.2 image and Helm chart per docs.herodevs.com/ingress-nginx/release-notes.

‍