{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27143", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:57.168Z", "dateUpdated": "2026-04-08T01:06:57.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.168Z"}, "title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile", "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/compile", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "references": [{"url": "https://go.dev/cl/763765"}, {"url": "https://go.dev/issue/78333"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "id": "CVE-2026-27143", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:03.017", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/763765"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78333"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "golang: cmd/compile: possible memory corruption after bound check elimination", "id": "2456342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456342"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-733", "details": ["A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, strictly sanitize and enforce bounds checking on any untrusted user input that influences loop counters, iteration limits, or memory indices. If there is no integer overflow or underflow, the out-of-bounds access cannot occur."}, "name": "CVE-2026-27143", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27143\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27143\nhttps://go.dev/cl/763765\nhttps://go.dev/issue/78333\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4868"], "statement": "This vulnerability is only exploitable in applications that contain a loop structure that relies on an induction variable. An induction variable is a variable that gets modified, usually incremented or decremented, by a predictable amount on each iteration. Inside the loop, the induction variable must be directly used as the index to access or modify elements within an array or a slice. Additionally, an attacker must be able to cause an integer overflow or underflow in the induction variable to trigger this issue. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-08T02:23:04.890781+00:00", "value": {"mitigation_remediation": ["Upgrade the Go toolchain to the latest released version that includes the fix.", "If an upgrade is not immediately possible, rebuild all packages with a known safe compiler version and validate the integrity of compiled binaries.", "Monitor Go project announcements and issue trackers for updates and confirmation of the vulnerability fix."], "summary": {"action": "Apply patch", "impact": "Memory corruption due to missing bounds checks in the Go compiler"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Go toolchain, specifically the cmd/compile component. No version information is provided, so all unsupported releases of the Go compiler that contain this logic are likely impacted.", "description_and_impact": "Arithmetic over induction variables within loops were not correctly verified for underflow or overflow. As a result, the compiler allows invalid indexing to occur at runtime, potentially leading to memory corruption.", "risk_and_exploitability": "The CVSS score is not provided and EPSS data is unavailable. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the flaw could be exploited via a locally compiled Go program that triggers the over- or underflow during compilation, leading to memory corruption in the compiler process. The attack vector is inferred to be local, requiring a user with permission to run the compiler."}}}}, "created": "2026-04-08T19:44:21.441562+00:00", "updated": "2026-04-08T19:44:21.441625+00:00", "vendors": []}