CVE-2026-42503

CVE-2026-42503: Accidental binding to INADDR_ANY might lead to RCE in golang.org/x/tools/gopls

Vendor Golang.org/X/Tools
Product golang.org/x/tools/gopls
Weakness CWE-1327
Published May 6, 2026
Last update May 7, 2026

CVSS base score

What the vulnerability does

01Description

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 7, 2026 Record updated