CVE-2026-27143
Integer Overflow in Go Compiler Loop Induction Variables Causes Memory Corruption
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27143 is a vulnerability in the Go programming language's compiler, specifically in the cmd/compile package. It arises because arithmetic operations on induction variables used in loops were not properly checked for underflow or overflow. This flaw allowed the compiler to generate code that could perform invalid indexing at runtime, which means the program might access memory outside the intended bounds of arrays or slices.
In simpler terms, when the compiler optimizes loops by assuming loop counters (induction variables) stay within valid ranges, it sometimes incorrectly removes necessary bounds checks. If the loop counter overflows or underflows, this can lead to out-of-bounds memory access and potential memory corruption.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption at runtime due to invalid indexing caused by unchecked overflow or underflow of loop counters. Memory corruption can cause unpredictable program behavior, including crashes, data corruption, or security issues such as arbitrary code execution or privilege escalation.
If you use affected versions of the Go compiler (before 1.25.9 and from 1.26.0 up to but not including 1.26.2), your compiled programs might be vulnerable to these issues, especially if they rely on loops with induction variables for array or slice indexing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to the Go compiler's internal handling of arithmetic on induction variables in loops, which can lead to invalid indexing and memory corruption at runtime. Detection involves identifying if your Go environment is using a vulnerable compiler version.
You can check the Go compiler version installed on your system to determine if it is affected. Vulnerable versions are before 1.25.9 and from 1.26.0 up to but not including 1.26.2.
To check the Go compiler version, run the command:
- go version
If the version falls within the vulnerable range, your system is potentially affected.
Additionally, reviewing compiled binaries for unexpected memory corruption or crashes related to loops using induction variables may indicate exploitation, but no specific detection commands or network-based detection methods are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Go compiler to a fixed version where this vulnerability has been addressed.
- Upgrade to Go version 1.25.9 or later if you are using a version before 1.25.9.
- If using Go 1.26.x, upgrade to at least version 1.26.2.
These versions include fixes that ensure the compiler correctly handles arithmetic overflows and underflows on induction variables, preventing invalid indexing and potential memory corruption.
Avoid using vulnerable compiler versions in production environments until upgraded.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.