CVE-2026-27143Compiler Optimization Removal or Modification of Security-critical Code in Toolchain CMD Compile

CWE-733Compiler Optimization Removal or Modification of Security-critical Code10 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.0%
top 95.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
GO Toolchain CMD CompileDebian Golang-1.15Debian Golang-1.19+3 more
Timeline
PublishedApr 8
Latest updateApr 13

Description

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

debiandebian/golang-1.15< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.19< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.24< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.25< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.26< golang-1.25 1.25.9-1 (sid)

🔴Vulnerability Details

4
VulDB
cmd-compile up to 1.25.8/1.26.1 on Go induction integer overflow (Nessus ID 305686 / WID-SEC-2026-1006)2026-04-13
OSV
CVE-2026-27143: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow2026-04-08
GHSA
GHSA-cfp9-33rc-j74f: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow2026-04-08
OSV
Missing bound checks can lead to memory corruption in safe Go in cmd/compile2026-04-07

📋Vendor Advisories

2
Red Hat
golang: cmd/compile: possible memory corruption after bound check elimination2026-04-08
Debian
CVE-2026-27143: golang-1.15 - Arithmetic over induction variables in loops were not correctly checked for unde...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-27143 golang: possible memory corruption after bound check elimination [fedora-all]2026-04-08
Bugzilla
CVE-2026-27143 golang: cmd/compile: possible memory corruption after bound check elimination2026-04-08
CVE-2026-27143 — GO Toolchain CMD Compile vulnerability | cvebase