The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.
This can be caused by malicious unquoted symbol name in a linked object file.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0475" }