CVE-2026-27144
Received Received - Intake
Memory Corruption in Go Compiler Due to Pointer Handling Flaw

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: Go Project

Description
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27144
EUVD
EUVD-2026-20006
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
golang go to 1.25.9 (exc)
golang go From 1.26.0 (inc) to 1.26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-27144 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-27144 is a vulnerability in the Go programming language's compiler, specifically in the cmd/compile package. The compiler is supposed to unwrap pointers that are operands of memory move operations to determine if the moves overlap or not. However, a no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. This incorrect determination could lead to memory corruption at runtime.

Impact Analysis

This vulnerability can lead to memory corruption at runtime due to the compiler incorrectly handling certain memory move operations. Memory corruption can cause unpredictable behavior in programs, including crashes, data corruption, or security issues such as exploitation by attackers to execute arbitrary code or cause denial of service.

Detection Guidance

This vulnerability is related to the Go compiler's internal handling of memory move operations and no-op interface conversions, which can lead to memory corruption at runtime. Detection would primarily involve identifying if your system is using a vulnerable version of the Go compiler.

Specifically, the affected versions are Go versions before 1.25.9 and from 1.26.0-0 up to but not including 1.26.2.

To detect if your system is vulnerable, you can check the Go compiler version installed by running the command:

  • go version

If the version falls within the vulnerable ranges, your system is potentially affected.

Since this is a compiler vulnerability, network detection commands are not applicable.

Mitigation Strategies

The primary mitigation step is to upgrade the Go compiler to a fixed version where this vulnerability has been addressed.

The vulnerability has been fixed in Go versions after 1.25.9 and from 1.26.2 onwards, with a planned fix in Go 1.27.

Therefore, immediately update your Go compiler to version 1.26.2 or later to prevent the unsafe memory move operations caused by this issue.

Additionally, review and rebuild any binaries compiled with vulnerable versions to ensure they are not affected by this memory corruption issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart