Description
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Published: 2026-04-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

The Go compiler incorrectly processes array copy operations when wrapped with a no‑op interface conversion. This miscompilation causes the compiler to assume non‑overlapping memory moves when it should not, leading to potential memory corruption at runtime. The flaw is classified as CWE‑440 and CWE‑843, indicating an untrusted write to memory and an improper type conversion that could lead to memory corruption.

Affected Systems

The vulnerability affects the Go toolchain component cmd/compile in all versions prior to the fix referenced in Go issue 78371. No specific affected version list is provided, so any unpatched Go installations using cmd/compile are potentially at risk. The vulnerability is not confined to a particular platform; it applies wherever the Go compiler runs.

Risk and Exploitability

The CVSS score of 7.1 marks this issue as high severity, yet the EPSS score of less than 1% indicates a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog, suggesting no widely available exploits. The likely attack path involves an adversary compiling malicious Go code or gaining influence over the compilation of trusted code, causing the resulting binary to have corrupted memory. An attacker could potentially leverage this to achieve arbitrary code execution or other destructive behavior, though the precise exploitation chain is not detailed in the advisory.

Generated by OpenCVE AI on April 17, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Go compiler to the latest release that includes the fix for issue 78371
  • Restrict compilation of code to trusted repositories and isolate builds in dedicated environments
  • Obtain the patched Go compiler from the official release channel and verify its checksum before installation

Generated by OpenCVE AI on April 17, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses CWE-843
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Gotoolchain
Gotoolchain cmd/compile
Weaknesses CWE-787
Vendors & Products Gotoolchain
Gotoolchain cmd/compile

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-440
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Title Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
References

Subscriptions

Golang Go
Gotoolchain Cmd/compile
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-13T18:20:28.098Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27144

cve-icon Vulnrichment

Updated: 2026-04-13T17:49:44.095Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T02:16:03.130

Modified: 2026-04-16T19:17:18.093

Link: CVE-2026-27144

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T01:06:56Z

Links: CVE-2026-27144 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses