CVE-2026-27143

Critical

Published: 08 April 2026

Published

08 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27143 is a critical-severity an unspecified weakness vulnerability in Golang Go. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-15 (Development Process, Standards, and Tools) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the Go compiler's inadequate arithmetic overflow checks by updating to patched toolchain versions.

SA-15 Development Process, Standards, and Tools good match

prevent

Mandates protection and monitoring of compilers such as the Go compiler to prevent use of vulnerable versions that generate code with unchecked loop induction variable arithmetic.

SI-16 Memory Protection partial match

prevent

Implements memory protections that mitigate runtime memory corruption resulting from invalid indexing caused by the compiler-generated faulty loop arithmetic.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Compiler flaw generates code with invalid loop indexing, enabling remote memory corruption (RCE/DoS) in Go binaries via crafted input; directly maps to exploitation techniques for priv-esc, public apps, client execution, and remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

Deeper analysisAI

CVE-2026-27143 is a critical vulnerability in the Go compiler, published on 2026-04-08, stemming from inadequate checks for underflow or overflow in arithmetic operations on induction variables within loops. This flaw enables the compiler to generate code that performs invalid indexing at runtime, potentially resulting in memory corruption. The issue is tracked under CWE-Other and carries a CVSS v3.1 base score of 9.8, reflecting its high severity.

Remote attackers require no privileges, user interaction, or special access to exploit this vulnerability over the network with low complexity. Exploitation occurs when a Go-compiled binary processes crafted input that triggers the faulty loop arithmetic, leading to memory corruption with high impacts on confidentiality, integrity, and availability.

Go project advisories, including the official announcement, issue tracker, change list, and vulnerability database entry (GO-2026-4868), provide details on the fix and recommend updating to patched versions of the Go toolchain to mitigate the issue.

Details

CWE(s): NVD-CWE-Other

Affected Products

golang

≤ 1.25.9 · 1.26.0 — 1.26.2

CVEs Like This One

CVE-2026-27144Same product: Golang Go

CVE-2025-68121Same product: Golang Go

CVE-2026-32280Same product: Golang Go

CVE-2025-61732Same product: Golang Go

CVE-2026-27140Same product: Golang Go

CVE-2025-61726Same product: Golang Go

CVE-2025-61731Same product: Golang Go

CVE-2026-32281Same product: Golang Go

CVE-2026-33810Same product: Golang Go

CVE-2026-25679Same product: Golang Go

References

https://go.dev/cl/763765
Patch · security@golang.org
https://go.dev/issue/78333
Issue Tracking · security@golang.org
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
Release Notes, Mailing List · security@golang.org
https://pkg.go.dev/vuln/GO-2026-4868
Vendor Advisory · security@golang.org