Cyber Posture

CVE-2026-27144

High

Published: 08 April 2026

Published
08 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27144 is a high-severity Type Confusion (CWE-843) vulnerability in Golang Go. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, testing, and remediation of flaws like this Go compiler vulnerability to prevent deployment of binaries with memory corruption risks.

SI-16 Memory Protection good match
prevent

Enforces runtime memory protections such as address space layout randomization and data execution prevention to mitigate exploitation of memory corruption from faulty compiler pointer unwrapping.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables vulnerability scanning to identify systems using vulnerable Go compiler versions affected by this type confusion issue.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local memory corruption primitive (type confusion in generated code) directly enables exploitation for privilege escalation on the host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

Deeper analysisAI

CVE-2026-27144 is a vulnerability in the Go compiler, published on 2026-04-08. The compiler is designed to unwrap pointers serving as operands in memory move operations to check for non-overlapping moves. However, a no-op interface conversion blocks this unwrapping, causing the compiler to incorrectly assess move overlap and potentially resulting in memory corruption during program runtime. The issue maps to CWE-843 (Type Confusion) and carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation triggers memory corruption in affected Go binaries at runtime, leading to high impacts on integrity and availability but no confidentiality loss.

The Go security advisory GO-2026-4867 provides details on the vulnerability at https://pkg.go.dev/vuln/GO-2026-4867. The issue is tracked at https://go.dev/issue/78371, fixed in change list https://go.dev/cl/763764, and announced via https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU.

Details

CWE(s)
CWE-843

Affected Products

golang
go
≤ 1.25.9 · 1.26.0 — 1.26.2

CVEs Like This One

CVE-2026-27143Same product: Golang Go
CVE-2026-33810Same product: Golang Go
CVE-2025-68121Same product: Golang Go
CVE-2025-61732Same product: Golang Go
CVE-2025-61726Same product: Golang Go
CVE-2026-32280Same product: Golang Go
CVE-2026-27140Same product: Golang Go
CVE-2026-32281Same product: Golang Go
CVE-2026-25679Same product: Golang Go
CVE-2026-32283Same product: Golang Go

References