CVE-2018-6574

Name: CVE-2018-6574
Creator: NVD / NIST
Published: 2018-02-07T21:29:00.25+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 7.70%

Last modified Jun 17, 2026

CVE-2018-6574 is a vulnerability of currently unknown severity. Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.. EPSS estimates a 7.70% chance of exploitation in the next 30 days.

Description

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Metrics

EPSS Probability

7.70%

93.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-94

Affected Software

Vendor	Product	Versions	Update
Golang	Go	<= 1.8.6	—
Golang	Go	1.9	—
Golang	Go	1.9.1	—
Golang	Go	1.9.2	—
Golang	Go	1.9.3	—
Golang	Go	1.10	Beta1
Debian	Debian Linux	9.0	—
Redhat	Enterprise Linux Server	7.0	—
Redhat	Enterprise Linux Server Aus	7.6	—
Redhat	Enterprise Linux Server Eus	7.6	—
Redhat	Enterprise Linux Server Tus	7.6	—

References

https://access.redhat.com/errata/RHSA-2018:0878Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1304Third Party Advisory
https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574Exploit, Third Party Advisory
https://github.com/golang/go/issues/23672Issue Tracking, Third Party Advisory
https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
https://www.debian.org/security/2019/dsa-4380Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0878Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1304Third Party Advisory
https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574Exploit, Third Party Advisory
https://github.com/golang/go/issues/23672Issue Tracking, Third Party Advisory
https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
https://www.debian.org/security/2019/dsa-4380Third Party Advisory

Timeline

Published: Feb 7, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-6574?

How severe is CVE-2018-6574?

Severity scoring for CVE-2018-6574 is pending analysis. The EPSS model estimates a 7.70% probability of exploitation in the next 30 days.

How do I fix CVE-2018-6574?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-6574?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST