Cyber Resilience

CVE-2026-27144

High

Published: 08 April 2026

Published
08 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0001 0.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27144 is a high-severity Type Confusion (CWE-843) vulnerability in Golang Go. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27144 is a vulnerability in the Go compiler, published on 2026-04-08. The compiler is designed to unwrap pointers serving as operands in memory move operations to check for non-overlapping moves. However, a no-op interface conversion blocks this unwrapping, causing the compiler to incorrectly assess move overlap and potentially resulting in memory corruption during program runtime. The issue maps to CWE-843 (Type Confusion) and carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation triggers memory corruption in affected Go binaries at runtime, leading to high impacts on integrity and availability but no confidentiality loss.

The Go security advisory GO-2026-4867 provides details on the vulnerability at https://pkg.go.dev/vuln/GO-2026-4867. The issue is tracked at https://go.dev/issue/78371, fixed in change list https://go.dev/cl/763764, and announced via https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU.

EU & UK References

Vulnerability details

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption primitive (type confusion in generated code) directly enables exploitation for privilege escalation on the host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27143Same product: Golang Go
CVE-2026-25679Same product: Golang Go
CVE-2025-61731Same product: Golang Go
CVE-2025-61726Same product: Golang Go
CVE-2026-27140Same product: Golang Go
CVE-2026-32283Same product: Golang Go
CVE-2025-68121Same product: Golang Go
CVE-2026-27137Same product: Golang Go
CVE-2026-32280Same product: Golang Go
CVE-2026-32281Same product: Golang Go

Affected Assets

golang
go
≤ 1.25.9 · 1.26.0 — 1.26.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, testing, and remediation of flaws like this Go compiler vulnerability to prevent deployment of binaries with memory corruption risks.

prevent

Enforces runtime memory protections such as address space layout randomization and data execution prevention to mitigate exploitation of memory corruption from faulty compiler pointer unwrapping.

detect

Enables vulnerability scanning to identify systems using vulnerable Go compiler versions affected by this type confusion issue.

References