CVE-2025-61731

high

Red Hat

CVSS v3 Base Score

8.6

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Published: January 28, 2026

Last Modified: January 28, 2026

Vendor: Red Hat

Description

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.

CWE

CWE-88

Affected Products

OpenShift Service Mesh 3Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat OpenShift Virtualization 4Red Hat OpenShift Container Platform 4.2Red Hat OpenShift Service Mesh 2.6

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 go.dev 🔗 go.dev

CVE-2025-61731

Vulnerability Report

Description

CWE

Affected Products

Fix Status

References