{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27144", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:56.908Z", "dateUpdated": "2026-04-08T01:06:56.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.908Z"}, "title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile", "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/compile", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-440: Expected Behavior Violation"}]}], "references": [{"url": "https://go.dev/cl/763764"}, {"url": "https://go.dev/issue/78371"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "id": "CVE-2026-27144", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:03.130", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/763764"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78371"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "golang: cmd/compile: no-op interface conversion bypasses overlap checking", "id": "2456340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456340"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-440", "details": ["A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, review code that performs memory copies or struct assignments. If data is being passed through an interface (such as 'any' or 'interface{}') just before a move operation, refactor the code to use concrete types or explicit pointers instead."}, "name": "CVE-2026-27144", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27144\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27144\nhttps://go.dev/cl/763764\nhttps://go.dev/issue/78371\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4867"], "statement": "This issue is only exploitable in applications that contain a memory move or copy operation that is subject to a no-op (no-operation) interface conversion. Furthermore, the source and destination memory addresses involved in the move or copy must overlap and an attacker must be able to supply an input that triggers this specific operation. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "cmd/compile", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-09T01:51:18.296170+00:00", "value": {"mitigation_remediation": ["Update the Go toolchain to a patched release that fixes the miscompilation.", "Rebuild all existing Go binaries with the updated toolchain.", "Verify that the rebuilt binaries are free from miscompilation by running relevant tests or static analysis."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "The defect is present in the Go toolchain\u2019s cmd/compile component. All binaries produced with the affected compiler version are potentially vulnerable. No specific version range is listed by the CNA, so users should confirm whether their Go toolchain has been updated to a release that contains the patch and rebuild any existing executables.", "description_and_impact": "The Go compiler is intended to remove no\u2011operation interface conversions (CONVNOP) when performing memory moves. A bug prevented the compiler from correctly determining that certain array copies are non\u2011overlapping, leading to miscompiled code that can overwrite memory at runtime. This memory corruption can affect program state and the integrity of data handled by the compiled binary.", "risk_and_exploitability": "The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score is below 1% and the issue is not currently catalogued in CISA\u2019s KEV list, indicating a low probability of widespread use by attackers. The description does not describe an active exploitation technique, but it does imply that compiling malicious or altered source code with the affected compiler could produce a binary that performs unintended memory writes. (The likelihood of this vector is inferred from the nature of the bug rather than provided explicitly by the CVE entry.) As memory corruption can lead to undefined behavior, the potential impact includes program crashes and compromised data integrity, though the CVE does not state that it leads to arbitrary code execution."}}}}, "created": "2026-04-08T19:44:22.804530+00:00", "updated": "2026-04-09T08:28:16.762509+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/compile"]}