{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27144", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-04-08T01:06:56.908Z", "dateUpdated": "2026-04-13T18:20:28.098Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.908Z"}, "title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile", "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/compile", "versions": [{"version": "0", "lessThan": "1.25.9", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-440: Expected Behavior Violation"}]}], "references": [{"url": "https://go.dev/cl/763764"}, {"url": "https://go.dev/issue/78371"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:49:47.300247Z", "id": "CVE-2026-27144", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:20:28.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27144", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:49:47.300247Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:49:44.095Z"}}], "cna": {"title": "Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile", "credits": [{"lang": "en", "value": "Jakub Ciolek - https://ciolek.dev/"}], "affected": [{"vendor": "Go toolchain", "product": "cmd/compile", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.9", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.2", "versionType": "semver"}], "packageName": "cmd/compile", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/cl/763764"}, {"url": "https://go.dev/issue/78371"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-440: Expected Behavior Violation"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.908Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27144", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:20:28.098Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-08T01:06:56.908Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C9C072-9817-402D-877F-F83584B07017", "versionEndExcluding": "1.25.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "39FE9BAF-55E9-43AA-B14E-239E7EF1D65D", "versionEndExcluding": "1.26.2", "versionStartIncluding": "1.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime."}], "id": "CVE-2026-27144", "lastModified": "2026-04-16T19:17:18.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T02:16:03.130", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/763764"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/78371"}, {"source": "security@golang.org", "tags": ["Release Notes", "Mailing List"], "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4867"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "golang: cmd/compile: no-op interface conversion bypasses overlap checking", "id": "2456340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456340"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-440", "details": ["A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, review code that performs memory copies or struct assignments. If data is being passed through an interface (such as 'any' or 'interface{}') just before a move operation, refactor the code to use concrete types or explicit pointers instead."}, "name": "CVE-2026-27144", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-04-08T01:06:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27144\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27144\nhttps://go.dev/cl/763764\nhttps://go.dev/issue/78371\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4867"], "statement": "This issue is only exploitable in applications that contain a memory move or copy operation that is subject to a no-op (no-operation) interface conversion. Furthermore, the source and destination memory addresses involved in the move or copy must overlap and an attacker must be able to supply an input that triggers this specific operation. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "cmd/compile", "vendor": "gotoolchain"}], "analysis": {"en": {"generated_at": "2026-04-17T09:52:24.603005+00:00", "value": {"mitigation_remediation": ["Update the Go compiler to the latest release that includes the fix for issue 78371", "Restrict compilation of code to trusted repositories and isolate builds in dedicated environments", "Obtain the patched Go compiler from the official release channel and verify its checksum before installation"], "summary": {"action": "Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Go toolchain component cmd/compile in all versions prior to the fix referenced in Go issue 78371. No specific affected version list is provided, so any unpatched Go installations using cmd/compile are potentially at risk. The vulnerability is not confined to a particular platform; it applies wherever the Go compiler runs.", "description_and_impact": "The Go compiler incorrectly processes array copy operations when wrapped with a no\u2011op interface conversion. This miscompilation causes the compiler to assume non\u2011overlapping memory moves when it should not, leading to potential memory corruption at runtime. The flaw is classified as CWE\u2011440 and CWE\u2011843, indicating an untrusted write to memory and an improper type conversion that could lead to memory corruption.", "risk_and_exploitability": "The CVSS score of 7.1 marks this issue as high severity, yet the EPSS score of less than 1% indicates a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog, suggesting no widely available exploits. The likely attack path involves an adversary compiling malicious Go code or gaining influence over the compilation of trusted code, causing the resulting binary to have corrupted memory. An attacker could potentially leverage this to achieve arbitrary code execution or other destructive behavior, though the precise exploitation chain is not detailed in the advisory."}}}}, "created": "2026-04-08T19:44:22.804530+00:00", "updated": "2026-04-17T10:00:03.568529+00:00", "vendors": ["gotoolchain", "gotoolchain$PRODUCT$cmd/compile"]}