Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
During Go code compilation, arithmetic operations performed on induction variables (loop control variables) were not properly checked for overflow and underflow. As a result, the machine code generated by the compiler allowed improper memory indexing at runtime. This led to access of memory areas beyond the permitted boundaries, which is a classic form of memory corruption.
An attacker can cause memory corruption of the process, which depending on the application context may enable arbitrary code execution (RCE), disclosure of sensitive data, or destabilization of system operation.
The Golang Go compiler should be updated to a version containing the fix described in the change list go.dev/cl/763765 and all Go applications should be recompiled using the patched compiler. Detailed information about patch versions is available in the vendor references.
Applications compiled using the Golang Go compiler — specific versions indicated in the vendor references (go.dev/issue/78333 and pkg.go.dev/vuln/GO-2026-4868)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGolang Go
APPGolang< 1.25.91.26.0 – 1.26.2 (bez)
Related vulnerabilities
Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów
Golang crypto/tls: błędna walidacja certyfikatów przy wznawianiu sesji TLS
Błędna klasyfikacja adresów IPv4-mapped IPv6 w bibliotece standardowej Go
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relati...
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" o...