{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27143", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:57.168Z", "dateUpdated": "2026-04-13T18:20:17.933Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.168Z"}, "title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile", "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/compile", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "references": [{"url": "https://go.dev/cl/763765"}, {"url": "https://go.dev/issue/78333"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:50:24.131708Z", "id": "CVE-2026-27143", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:20:17.933Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27143", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:50:24.131708Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:50:15.313Z"}}], "cna": {"title": "Missing bound checks can lead to memory corruption in safe Go in cmd/compile", "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.9", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.2", "versionType": "semver"}], "packageName": "cmd/compile", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/cl/763765"}, {"url": "https://go.dev/issue/78333"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:57.168Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27143", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:20:17.933Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-08T01:06:57.168Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C9C072-9817-402D-877F-F83584B07017", "versionEndExcluding": "1.25.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "39FE9BAF-55E9-43AA-B14E-239E7EF1D65D", "versionEndExcluding": "1.26.2", "versionStartIncluding": "1.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption."}], "id": "CVE-2026-27143", "lastModified": "2026-04-16T19:20:02.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T02:16:03.017", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/763765"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/78333"}, {"source": "security@golang.org", "tags": ["Release Notes", "Mailing List"], "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4868"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "golang: cmd/compile: possible memory corruption after bound check elimination", "id": "2456342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456342"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-733", "details": ["A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, strictly sanitize and enforce bounds checking on any untrusted user input that influences loop counters, iteration limits, or memory indices. If there is no integer overflow or underflow, the out-of-bounds access cannot occur."}, "name": "CVE-2026-27143", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27143\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27143\nhttps://go.dev/cl/763765\nhttps://go.dev/issue/78333\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4868"], "statement": "This vulnerability is only exploitable in applications that contain a loop structure that relies on an induction variable. An induction variable is a variable that gets modified, usually incremented or decremented, by a predictable amount on each iteration. Inside the loop, the induction variable must be directly used as the index to access or modify elements within an array or a slice. Additionally, an attacker must be able to cause an integer overflow or underflow in the induction variable to trigger this issue. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "cmd/compile", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-18T09:32:11.748075+00:00", "value": {"mitigation_remediation": ["Apply the latest Go toolchain release that contains the cmd/compile bounds\u2011check patch.", "Configure build systems to use a dedicated, isolated environment when compiling untrusted or third\u2011party source code.", "Audit and replace any older Go compiler binaries on build servers and CI pipelines."], "summary": {"action": "Immediate Patch", "impact": "Memory corruption"}, "threat_synthesis": {"affected_systems": "The defect is located in the cmd/compile component of the Go toolchain. Any system compiling Go source code with a compiler that contains this flaw, regardless of the specific build or version, is potentially affected. The CNA did not list particular version ranges, so all builds using the vulnerable compiler are at risk.", "description_and_impact": "The flaw arises when the Go compiler fails to correctly bounds\u2011check induction variables in loops, allowing an out\u2011of\u2011range index to be used during compilation. This oversight can corrupt memory inside the compiler at runtime, creating a memory corruption vulnerability. The weakness corresponds to improper bounds checking (CWE\u2011733).", "risk_and_exploitability": "The CVSS score of 9.8 indicates a severe, high\u2011impact flaw, while an EPSS score of < 1% suggests that exploitation is unlikely but still possible. The vulnerability is not in CISA\u2019s KEV catalog. The most likely attack vector is local: an attacker must supply malicious source code to a compilation process running on a system that uses the affected Go toolchain. Because the weakness is in the compiler, the impact remains confined to the compilation environment but can corrupt the compiler\u2019s own memory space."}}}}, "created": "2026-04-08T19:44:21.441562+00:00", "updated": "2026-04-18T09:45:25.826867+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/compile"]}