CVE-2026-27143
published 2026-04-08CVE-2026-27143: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.1th percentile
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.19 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.24 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.25 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.26 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| github.com | bluenviron_mediamtx | >= 1.15.0 < 1.18.0 | 1.18.0 |
| go_toolchain | cmd_compile | < 1.25.9 | 1.25.9 |
| go_toolchain | cmd_compile | >= 1.26.0-0 < 1.26.2 | 1.26.2 |
| golang | go | < 1.25.9 | 1.25.9 |
| golang | go | >= 1.26.0 < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MediaMTX affected by CVE-2026-27143 due to vulnerable dependency
ghsa·2026-05-06·CVSS 9.8
CVE-2026-27143 [CRITICAL] CWE-190 MediaMTX affected by CVE-2026-27143 due to vulnerable dependency
MediaMTX affected by CVE-2026-27143 due to vulnerable dependency
### Summary
Release 1.17.1 seems affected by CVE-2026-27143. golang 1.25.9 Seems to solve the issue. Is there any new release planned?
### Details
See https://nvd.nist.gov/vuln/detail/CVE-2026-27143.
VulDB
cmd-compile up to 1.25.8/1.26.1 on Go induction integer overflow (Nessus ID 305686 / WID-SEC-2026-1006)
vuldb·2026-04-13·CVSS 9.8
CVE-2026-27143 [CRITICAL] cmd-compile up to 1.25.8/1.26.1 on Go induction integer overflow (Nessus ID 305686 / WID-SEC-2026-1006)
A vulnerability was found in cmd-compile up to 1.25.8/1.26.1 on Go and classified as critical. This vulnerability affects unknown code. Executing a manipulation of the argument induction can lead to integer overflow.
This vulnerability is handled as CVE-2026-27143. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
OSV
CVE-2026-27143: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow
osv·2026-04-08·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
GHSA
GHSA-cfp9-33rc-j74f: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow
ghsa_unreviewed·2026-04-08
CVE-2026-27143 GHSA-cfp9-33rc-j74f: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
OSV
Missing bound checks can lead to memory corruption in safe Go in cmd/compile
osv·2026-04-07
CVE-2026-27143 Missing bound checks can lead to memory corruption in safe Go in cmd/compile
Missing bound checks can lead to memory corruption in safe Go in cmd/compile
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Red Hat
golang: cmd/compile: possible memory corruption after bound check elimination
vendor_redhat·2026-04-08·CVSS 9.8
CVE-2026-27143 [CRITICAL] CWE-733 golang: cmd/compile: possible memory corruption after bound check elimination
golang: cmd/compile: possible memory corruption after bound check elimination
A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption.
Statement: This vulnerability is only exploitable in applications that contain a loop structure that relies on an induction variable. An induction variable is a variable that gets modified, usually incremented or decremented, by a predictable amount on each iteration. Inside the loop, the induction variable must be directly used as the index to access or modify elements within an array or a s
Debian
CVE-2026-27143: golang-1.15 - Arithmetic over induction variables in loops were not correctly checked for unde...
vendor_debian·2026·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143: golang-1.15 - Arithmetic over induction variables in loops were not correctly checked for unde...
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27143 golang: possible memory corruption after bound check elimination [fedora-all]
bugzilla·2026-04-08·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143 golang: possible memory corruption after bound check elimination [fedora-all]
CVE-2026-27143 golang: possible memory corruption after bound check elimination [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27143 golang: cmd/compile: possible memory corruption after bound check elimination
bugzilla·2026-04-08·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143 golang: cmd/compile: possible memory corruption after bound check elimination
CVE-2026-27143 golang: cmd/compile: possible memory corruption after bound check elimination
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Wiz
CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27143 :
Golang vulnerability analysis and mitigation
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.24
golang-1.25
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Red Hat 8, 9, 10 Severity MED
2026-04-08
Published