CVE-2026-42503— Accidental binding to INADDR_ANY might lead to RCE in golang.org/x/tools/gopls

Accidental binding to INADDR_ANY might lead to RCE in golang.org/x/tools/gopls

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.

N/A

CWE-1327

Google Go 安全漏洞

Google Go是美国谷歌（Google）公司的一种静态强类型、编译型、并发型，并具有垃圾回收功能的编程语言。 Google Go存在安全漏洞，该漏洞源于监听地址绑定到0.0.0.0，可能导致同一网络上的恶意方通过gopls执行任意代码。

N/A

N/A