Skip to main content

Red Hat EUVDEUVD-2026-20004

| CVE-2026-27143 CRITICAL
2026-04-08 Go GHSA-cfp9-33rc-j74f
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
8.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 16, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:25 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
9.8 (CRITICAL)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20004
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionCVE.org

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

AnalysisAI

Integer overflow in Go compiler's loop optimization (cmd/compile 1.25.x < 1.25.9, 1.26.x < 1.26.2) allows remote code execution through crafted source code that triggers invalid array indexing at runtime. Attack vector is network-accessible (AV:N) with no authentication required (PR:N), enabling attackers to compile malicious Go programs that exploit compiler-generated memory corruption vulnerabilities. EPSS score of 0.01% (1st percentile) indicates low observed exploitation probability despite

Technical ContextAI

This vulnerability resides in Go's cmd/compile toolchain component, specifically in the compiler's optimization passes that handle arithmetic operations over loop induction variables. Induction variables are iteration counters or derived values that change predictably across loop iterations (e.g., i++, array[i*2]). The compiler performs static analysis to optimize these patterns but failed to properly validate integer bounds, allowing signed/unsigned integer overflow or underflow conditions to pass unchecked into compiled binaries. When the flawed compiled code executes, out-of-bounds array indexing occurs, enabling memory corruption primitive attacks. The CPE identifier cpe:2.3:a:go_toolchain:cmd/compile confirms this affects the compiler itself during build-time rather than runtime libraries. Without assigned CWE classification, the vulnerability appears to combine characteristics of CWE-190 (Integer Overflow) and CWE-119 (Improper Memory Buffer Restriction). This is a supply-chain attack surface: adversaries must convince targets to compile malicious Go source code using vulnerable compiler versions, rather than directly exploiting running applications.

RemediationAI

Upgrade Go toolchain to patched versions 1.25.9 or later for the 1.25 branch, or 1.26.2 or later for the 1.26 branch as specified in https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU. Verify installed version with 'go version' command and update via package manager (apt install golang-1.25.9, brew upgrade go) or direct download from https://go.dev/dl/. Update CI/CD pipeline configurations (Dockerfile FROM golang:1.26.2, GitHub Actions go-version: 1.25.9, GitLab CI image: golang:1.26.2) to prevent using vulnerable compiler versions. No runtime workaround exists as the flaw is in compiler code generation; previously compiled binaries from vulnerable toolchains may contain exploitable code and should be recompiled with patched versions if they process untrusted input. Review Go module dependencies via 'go list -m all' and consult https://pkg.go.dev/vuln/GO-2026-4868 for supply-chain impact assessment.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-20004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy