CVE-2026-27144
Memory Corruption in Go Compiler Due to Pointer Handling Flaw
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-27144 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-27144 is a vulnerability in the Go programming language's compiler, specifically in the cmd/compile package. The compiler is supposed to unwrap pointers that are operands of memory move operations to determine if the moves overlap or not. However, a no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. This incorrect determination could lead to memory corruption at runtime.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption at runtime due to the compiler incorrectly handling certain memory move operations. Memory corruption can cause unpredictable behavior in programs, including crashes, data corruption, or security issues such as exploitation by attackers to execute arbitrary code or cause denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to the Go compiler's internal handling of memory move operations and no-op interface conversions, which can lead to memory corruption at runtime. Detection would primarily involve identifying if your system is using a vulnerable version of the Go compiler.
Specifically, the affected versions are Go versions before 1.25.9 and from 1.26.0-0 up to but not including 1.26.2.
To detect if your system is vulnerable, you can check the Go compiler version installed by running the command:
- go version
If the version falls within the vulnerable ranges, your system is potentially affected.
Since this is a compiler vulnerability, network detection commands are not applicable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Go compiler to a fixed version where this vulnerability has been addressed.
The vulnerability has been fixed in Go versions after 1.25.9 and from 1.26.2 onwards, with a planned fix in Go 1.27.
Therefore, immediately update your Go compiler to version 1.26.2 or later to prevent the unsafe memory move operations caused by this issue.
Additionally, review and rebuild any binaries compiled with vulnerable versions to ensure they are not affected by this memory corruption issue.