cmd/go: Malicious module proxy can bypass checksum database (CVE-2026-42501) Vulnerability Overview The command in the Go programming language has a flaw in its module checksum verification logic, allowing malicious module proxies to bypass the checksum database verification. Attackers can exploit this vulnerability to execute arbitrary code or disrupt the build process by providing tampered Go toolchains or modules. Affected Scope Affected Users: All Go users who use untrusted module proxies ( ) or checksum databases ( ). Risk Scenarios: - When the environment variable points to a toolchain provided by a proxy. - When the proxy returns incorrect checksum responses or tampered files. - Users may re-verify affected dependencies when running or . Remediation Upgrade Go Version: Users should upgrade their base Go toolchain to a secure version. Pin Toolchain Version: Set to a specific version to avoid automatically downloading unverified toolchains. Code Patch: The Go team has released a patch to ensure correctly checks checksum database responses and verifies that module signatures exist and match expectations. Related Links CVE ID: CVE-2026-42501 Go Issue: https://go.dev/issue/79070 Reporter: Mundur (https://github.com/MondD) Notes This vulnerability was reported via private tracking and fixed through the CherryPickApprove process. The fix has been submitted to the and branches.