Missing bound checks can lead to memory corruption in safe Go in cmd/compile

Description

A vulnerability was found in cmd-compile up to 1.25.8/1.26.1 on Go and classified as critical. Executing a manipulation of the argument induction can lead to integer overflow.

Affected Products

Vendor	Product	Versions
go toolchain	cmd/compile	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (2 articles)

Tier C

VulDB5h ago

CVE-2026-27143 | cmd-compile up to 1.25.8/1.26.1 on Go induction integer overflow

→ No new info (linked only)

Tier E

Lobsters Security11h ago

When the compiler lies: breaking memory safety in safe Go

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

CWECWE-190

PublishedApr 8, 2026

Last enriched4h agov2

Community Vote

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, added affected versions 1.25.8 and 1.26.1, and noted that no exploit is available.

descriptionseverityaffectedVersionsactivelyExploitedcweIdstags

via VulDB

v18h ago

Initial creation

Missing bound checks can lead to memory corruption in safe Go in cmd/compile

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History