Golang Tool Pack Archive Extraction Flaw Exposes Systems to Arbitrary File Write; CVE-2026-39817 Tracked

A critical path traversal vulnerability in Go's internal archive utility tool allows malicious archives to write files to arbitrary filesystem locations. The flaw, tracked as CVE-2026-39817 and now publicly disclosed, affects the `go tool pack` subcommand—a stripped-down archive handler used primarily as an internal compiler component.

The vulnerability stems from insufficient path sanitization during archive extraction. When processing an archive with `go tool pack x $ARCHIVE`, the tool writes extracted files without validating that target paths remain within intended boundaries. An attacker could craft a specially formatted archive containing paths with traversal sequences—commonly "../" patterns—to escape the extraction directory and drop files anywhere on the filesystem accessible to the process. This is a textbook arbitrary file write condition, the same class of flaw that has enabled privilege escalation and remote code execution in countless software packages.

The `go tool pack` utility is officially described as an internal compiler tool operating on "known-good inputs." However, the public disclosure and assignment of a CVE indicate that the vulnerability is now treated as a realistic attack surface rather than merely a theoretical risk. Harshit Gupta, operating under the alias "Mr HAX," reported the issue. The classification as a PUBLIC track vulnerability means details are accessible to the broader security community, increasing pressure on Go maintainers to issue a patch and on downstream users to assess their exposure.

Organizations using the Go toolchain should monitor for updates from the Go project addressing CVE-2026-39817. Until a fix is available, any workflow involving extraction of untrusted archives with `go tool pack` should be treated as a potential attack vector. The incident underscores that even utility components designed for controlled environments can become entry points if inputs cannot be fully trusted.