{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27143", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:57.168Z", "dateUpdated": "2026-04-08T01:06:57.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.168Z"}, "title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile", "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/compile", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "references": [{"url": "https://go.dev/cl/763765"}, {"url": "https://go.dev/issue/78333"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "id": "CVE-2026-27143", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:03.017", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/763765"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78333"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "golang: cmd/compile: possible memory corruption after bound check elimination", "id": "2456342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456342"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-733", "details": ["A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, strictly sanitize and enforce bounds checking on any untrusted user input that influences loop counters, iteration limits, or memory indices. If there is no integer overflow or underflow, the out-of-bounds access cannot occur."}, "name": "CVE-2026-27143", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27143\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27143\nhttps://go.dev/cl/763765\nhttps://go.dev/issue/78333\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4868"], "statement": "This vulnerability is only exploitable in applications that contain a loop structure that relies on an induction variable. An induction variable is a variable that gets modified, usually incremented or decremented, by a predictable amount on each iteration. Inside the loop, the induction variable must be directly used as the index to access or modify elements within an array or a slice. Additionally, an attacker must be able to cause an integer overflow or underflow in the induction variable to trigger this issue. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "cmd/compile", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-09T01:22:23.113817+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Go toolchain that includes the fix for the missing bounds check in cmd/compile.", "If an immediate upgrade is not possible, isolate the compilation environment from untrusted sources and restrict compilation to trusted code only.", "Monitor for compilation anomalies or unexpected behavior that may indicate memory corruption.", "Check the Go project\u2019s security advisory pages for updates or additional guidance as it becomes available."], "summary": {"action": "Patch", "impact": "Memory corruption potentially enabling arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The affected component is the Go toolchain, specifically the compiler's cmd/compile module. The CNA does not list precise version ranges for this vulnerability, so all Go compiler releases prior to the vendor's fix should be treated as potentially affected. Users should consult the Go project's release notes or security advisories to identify affected revisions.", "description_and_impact": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow, allowing the Go compiler to generate code that performs invalid array indexing at runtime. This oversight can lead to memory corruption, which could potentially be leveraged by an attacker to execute arbitrary code. The issue arises from missing bound checks during compilation, not at runtime of the compiled program. The likely attack vector is a malicious Go source file that, when compiled by the vulnerable toolchain, causes the produced binary to corrupt memory and execute unintended instructions. Based on the description, it is inferred that an attacker would need the ability to run the compiler with crafted input to realize the exploit.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would typically require an attacker to run the compromised compiler on a system, meaning that control over the compilation environment is a prerequisite. Although the risk of incidental exploitation is low, the potential impact is significant, warranting prompt action."}}}}, "created": "2026-04-08T19:44:21.441562+00:00", "updated": "2026-04-09T08:28:15.711733+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/compile"]}