The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Go toolchain cmd/compile unaffected
Version Status Constraints
0 affected < 1.25.9
1.26.0-0 affected < 1.26.2

No data.

No data.

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://go.dev/cl/763764 cve-icon cve-icon
https://go.dev/issue/78371 cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU cve-icon cve-icon
https://pkg.go.dev/vuln/GO-2026-4867 cve-icon cve-icon
History

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Title Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-08T01:06:56.908Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27144

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T02:16:03.130

Modified: 2026-04-08T02:16:03.130

Link: CVE-2026-27144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.