cgo

The Go toolchain’s build pipeline was quietly exposed to a high‑risk code‑injection flaw in 2023, and its consequences are still instructive for developers, CI operators, and security teams: CVE-2023-29402 allowed the go command, when invoked with cgo, to generate unexpected and...

The Go toolchain’s cgo LDFLAGS bug — tracked as CVE‑2023‑29404 — is a high‑severity build‑time weakness that lets a malicious module smuggle unsafe linker directives into the go command’s invocation, creating a practical path to arbitrary code execution during compilation and packaging. This is...