Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Go cmd/go checksum database validation bypass via malicious module proxy

IdentifiersCVE-2026-42501CWE-345

CVE-2026-42501 is a flaw in Go's cmd/go module and toolchain download validation logic. When the go command downloads a module that is not already pinned in go.sum, it consults the checksum database to validate the module hash. The vulnerable behavior occurs when the checksum database returns a successful response that does not actually contain an entry for the requested module: cmd/go incorrectly treated that response as a successful validation. In deployments where a module proxy mirrors or proxies checksum database responses, a malicious proxy can exploit this by returning an empty checksum response or a response for an unrelated module, causing the go command to accept an altered downloaded module as if it had been validated. The issue is especially severe for Go toolchain downloads: when the go command selects a different toolchain version than the currently installed one, such as due to GOTOOLCHAIN or a toolchain directive in go.mod or go.work, it may download and execute a toolchain supplied through the module proxy. A malicious proxy can therefore bypass checksum database validation for the downloaded toolchain and potentially cause execution of an altered Go toolchain.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker controlling or impersonating an untrusted module proxy, or influencing checksum database responses in that path, to defeat the integrity guarantees normally provided by the Go checksum database. This can result in acceptance of tampered modules and, in the most serious case, download and execution of an altered Go toolchain. That creates a supply-chain compromise scenario with potential for arbitrary code execution in the developer or build environment, persistent compromise of builds produced with the malicious toolchain, and contamination of go.sum with incorrect hashes for affected dependencies.

Mitigation

If you can’t patch tonight, do this now.

Avoid using untrusted module proxies (GOMODPROXY/GOPROXY) and untrusted checksum databases (GOSUMDB). Prefer the official Go proxy and checksum infrastructure or internally controlled, trusted mirrors. Restrict or disable automatic toolchain switching and downloads where operationally feasible, but note this is not a complete mitigation for vulnerable versions. Review build environments for use of third-party proxies, and revalidate dependency state and cached artifacts after upgrading. Fixed Go versions will refuse to execute cached altered toolchains because the go tool validates the toolchain hash before execution.

Remediation

Patch, then assume compromise.

Upgrade the base Go toolchain to a fixed release: Go 1.26.3, Go 1.25.10, or later. The fix changes cmd/go so that it verifies the expected module signature is actually present in checksum database responses rather than accepting a successful but empty or unrelated response. Because this issue affects toolchain download trust, merely pinning GOTOOLCHAIN to a fixed version is not sufficient; the installed base toolchain itself must be updated. For environments that may have used a non-trusted GOPROXY and could have recorded bad hashes, revalidate dependencies by removing go.sum and running: rm go.sum ; go mod tidy ; go mod verify.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GolangGoapplication
GoogleGoapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-42501
NVD
nvd.nist.gov/vuln/detail/CVE-2026-42501
MITRE CWE · CWE-345
cwe.mitre.org
Patch
go.dev/cl/775321
Vendor Advisory
pkg.go.dev/vuln/GO-2026-4984
Release Notes
groups.google.com/g/golang-announce/c/qcCIEXso47M
Issue Tracking
go.dev/issue/79070