CVE-2026-27144Expected Behavior Violation in Toolchain CMD Compile

CWE-440Expected Behavior Violation10 documents8 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 99.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
GO Toolchain CMD CompileDebian Golang-1.15Debian Golang-1.19+3 more
Timeline
PublishedApr 8
Latest updateApr 13

Description

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages6 packages

debiandebian/golang-1.15< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.19< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.24< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.25< golang-1.25 1.25.9-1 (sid)
debiandebian/golang-1.26< golang-1.25 1.25.9-1 (sid)

🔴Vulnerability Details

4
VulDB
cmd-compile up to 1.25.8/1.26.1 on Go expected behavior violation (Nessus ID 305686 / WID-SEC-2026-1006)2026-04-13
GHSA
GHSA-cqrx-3m42-5p5w: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the2026-04-08
OSV
CVE-2026-27144: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the2026-04-08
OSV
Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile2026-04-07

📋Vendor Advisories

2
Red Hat
golang: cmd/compile: no-op interface conversion bypasses overlap checking2026-04-08
Debian
CVE-2026-27144: golang-1.15 - The compiler is meant to unwrap pointers which are the operands of a memory move...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-27144 golang: cmd/compile: no-op interface conversion bypasses overlap checking2026-04-08
Bugzilla
CVE-2026-27144 golang: no-op interface conversion bypasses overlap checking [fedora-all]2026-04-08
CVE-2026-27144 — Expected Behavior Violation | cvebase