Skip to main content

Red Hat EUVDEUVD-2026-20006

| CVE-2026-27144 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-04-08 Go GHSA-cqrx-3m42-5p5w
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 16, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:25 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
7.1 (HIGH)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20006
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionCVE.org

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

AnalysisAI

Memory corruption in Go compiler cmd/compile versions before 1.25.9 and 1.26.0-1.26.1 allows local authenticated attackers to achieve integrity compromise and denial of service. A flaw in pointer unwrapping logic during memory move operations causes the compiler to incorrectly assess overlapping memory regions, potentially corrupting compiled binaries. EPSS score of 0.01% indicates minimal real-world exploitation probability, and no public exploit or active exploitation (non-KEV) has been identified at time of analysis.

Technical ContextAI

The Go compiler (cmd/compile) performs optimization during code generation, including unwrapping pointer operands for memory move operations to determine whether source and destination regions overlap. This CVE affects the compiler's static analysis phase where a no-op interface conversion-an interface type conversion that should have no runtime effect-prevented correct pointer analysis. The compiler failed to recognize non-overlapping memory regions, potentially emitting incorrect machine code that performs unsafe memory copies. This represents a compiler bug rather than a runtime library vulnerability, meaning the defect exists in the toolchain that builds Go programs. The affected component is specifically the cmd/compile package (CPE: cpe:2.3:a:go_toolchain:cmd/compile), which is the Go compiler binary itself. While no CWE is assigned, this aligns with compiler optimization errors that can introduce undefined behavior into compiled outputs.

RemediationAI

Upgrade the Go toolchain to version 1.25.9 or later for the 1.25.x series, or to version 1.26.2 or later for the 1.26.x series. The fix was implemented in code review https://go.dev/cl/763764 addressing issue https://go.dev/issue/78371. Organizations should update their build systems, CI/CD pipelines, and developer workstations to use patched compiler versions. After upgrading, rebuild all Go binaries that were compiled with affected versions to eliminate potentially corrupted code generation. Verify toolchain versions using 'go version' command. No workarounds are available as this is a compiler-level defect requiring toolchain replacement. Refer to the official Go security announcement at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU for complete remediation guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-20006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy