{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27144", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:56.908Z", "dateUpdated": "2026-04-08T01:06:56.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.908Z"}, "title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile", "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/compile", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-440: Expected Behavior Violation"}]}], "references": [{"url": "https://go.dev/cl/763764"}, {"url": "https://go.dev/issue/78371"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "id": "CVE-2026-27144", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:03.130", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/763764"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78371"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "golang: cmd/compile: no-op interface conversion bypasses overlap checking", "id": "2456340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456340"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-440", "details": ["A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, review code that performs memory copies or struct assignments. If data is being passed through an interface (such as 'any' or 'interface{}') just before a move operation, refactor the code to use concrete types or explicit pointers instead."}, "name": "CVE-2026-27144", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27144\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27144\nhttps://go.dev/cl/763764\nhttps://go.dev/issue/78371\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4867"], "statement": "This issue is only exploitable in applications that contain a memory move or copy operation that is subject to a no-op (no-operation) interface conversion. Furthermore, the source and destination memory addresses involved in the move or copy must overlap and an attacker must be able to supply an input that triggers this specific operation. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "cmd/compile", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-09T09:50:22.016243+00:00", "value": {"mitigation_remediation": ["Update the Go compiler to a version that includes the fix for the miscompilation bug.", "Rebuild all Go applications compiled with the vulnerable compiler.", "Verify that the rebuilt binaries run correctly and do not exhibit crashes or data corruption.", "Stay informed of Go release notes and security advisories for additional guidance."], "summary": {"action": "Patch Now", "impact": "Memory corruption that can lead to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability resides in the Go toolchain. Any Go compiler version released before the fix is affected, including the current main branch and any earlier releases that have not yet applied the patch. The impact applies to all applications compiled with those compiler versions.", "description_and_impact": "A bug in the Go compiler's cmd/compile package causes certain array copy operations that involve a no-op interface conversion to be miscompiled. The compiler fails to unwind pointers that are operands of a memory move, incorrectly assuming the memory regions do not overlap. This miscompilation can corrupt memory when the generated code executes, potentially altering program data or control flow and leading to arbitrary code execution or a crash.", "risk_and_exploitability": "The flaw has a CVSS score of 8.1, indicating high severity. The exploit probability is below 1%, pointing to a low likelihood of widespread exploitation, and the vulnerability is not listed in the known exploited vulnerability catalog. An attacker would need to control the compilation process to build malicious Go code that triggers the miscompilation. Once the compromised binary runs, the memory corruption can result in arbitrary code execution or a denial of service. Upgrading to a patched compiler and rebuilding affected binaries mitigates this risk."}}}}, "created": "2026-04-08T19:44:22.804530+00:00", "updated": "2026-04-10T09:41:02.839467+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/compile"]}