CVE-2026-27144
published 2026-04-08CVE-2026-27144: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct…
PriorityP432high7.1CVSS 3.1
AVLACLPRLUINSUCNIHAH
EPSS
0.26%
17.4th percentile
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.19 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.24 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.25 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| debian | golang-1.26 | < golang-1.25 1.25.9-1 (sid) | golang-1.25 1.25.9-1 (sid) |
| go_toolchain | cmd_compile | < 1.25.9 | 1.25.9 |
| go_toolchain | cmd_compile | >= 1.26.0-0 < 1.26.2 | 1.26.2 |
| golang | go | < 1.25.9 | 1.25.9 |
| golang | go | >= 1.26.0 < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
osv7.1HIGH
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cmd-compile up to 1.25.8/1.26.1 on Go expected behavior violation (Nessus ID 305686 / WID-SEC-2026-1006)
vuldb·2026-04-13·CVSS 7.1
CVE-2026-27144 [HIGH] cmd-compile up to 1.25.8/1.26.1 on Go expected behavior violation (Nessus ID 305686 / WID-SEC-2026-1006)
A vulnerability was found in cmd-compile up to 1.25.8/1.26.1 on Go. It has been classified as critical. Affected by this issue is some unknown functionality. Performing a manipulation results in expected behavior violation.
This vulnerability was named CVE-2026-27144. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
GHSA-cqrx-3m42-5p5w: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the
ghsa_unreviewed·2026-04-08
CVE-2026-27144 GHSA-cqrx-3m42-5p5w: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
OSV
CVE-2026-27144: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the
osv·2026-04-08·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144: The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
OSV
Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
osv·2026-04-07
CVE-2026-27144 Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Red Hat
golang: cmd/compile: no-op interface conversion bypasses overlap checking
vendor_redhat·2026-04-08·CVSS 7.1
CVE-2026-27144 [HIGH] CWE-440 golang: cmd/compile: no-op interface conversion bypasses overlap checking
golang: cmd/compile: no-op interface conversion bypasses overlap checking
A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior.
Statement: This issue is only exploitable in applications that contain a memory move or copy operation that is subject to a no-op (no-operation) interface conversion. Furthermore, the source and destination memory addresses involved in the move or copy must overlap and an attacker must be able to supply an input that triggers this specific operation. Due to these re
Debian
CVE-2026-27144: golang-1.15 - The compiler is meant to unwrap pointers which are the operands of a memory move...
vendor_debian·2026·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144: golang-1.15 - The compiler is meant to unwrap pointers which are the operands of a memory move...
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27144 :
Golang vulnerability analysis and mitigation
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-race
go-toolset
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 202
Bugzilla
CVE-2026-27144 golang: cmd/compile: no-op interface conversion bypasses overlap checking
bugzilla·2026-04-08·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144 golang: cmd/compile: no-op interface conversion bypasses overlap checking
CVE-2026-27144 golang: cmd/compile: no-op interface conversion bypasses overlap checking
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Bugzilla
CVE-2026-27144 golang: no-op interface conversion bypasses overlap checking [fedora-all]
bugzilla·2026-04-08·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144 golang: no-op interface conversion bypasses overlap checking [fedora-all]
CVE-2026-27144 golang: no-op interface conversion bypasses overlap checking [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-04-08
Published