CRITICAL🇵🇱 Wersja polska

CVE-2026-27143

CVSS 9.8v3.1pub. 2026-04-08upd. 2026-04-16

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

🤖 AI Analysis
How it works

During Go code compilation, arithmetic operations performed on induction variables (loop control variables) were not properly checked for overflow and underflow. As a result, the machine code generated by the compiler allowed improper memory indexing at runtime. This led to access of memory areas beyond the permitted boundaries, which is a classic form of memory corruption.

Impact

An attacker can cause memory corruption of the process, which depending on the application context may enable arbitrary code execution (RCE), disclosure of sensitive data, or destabilization of system operation.

Mitigation & patch

The Golang Go compiler should be updated to a version containing the fix described in the change list go.dev/cl/763765 and all Go applications should be recompiled using the patched compiler. Detailed information about patch versions is available in the vendor references.

Who is affected

Applications compiled using the Golang Go compiler — specific versions indicated in the vendor references (go.dev/issue/78333 and pkg.go.dev/vuln/GO-2026-4868)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Golang Go

    APP
    Golang
    < 1.25.91.26.0 – 1.26.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-66630CRITICAL9.2PL ✓ten sam produkt

Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów

CVE-2025-68121CRITICAL10.0PL ✓ten sam produkt

Golang crypto/tls: błędna walidacja certyfikatów przy wznawianiu sesji TLS

CVE-2024-24790CRITICAL9.8PL ✓ten sam produkt

Błędna klasyfikacja adresów IPv4-mapped IPv6 w bibliotece standardowej Go

CVE-2023-39320CRITICAL9.8ten sam produkt

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relati...

CVE-2023-29405CRITICAL9.8ten sam produkt

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" o...