{ "threat_severity" : "Moderate", "public_date" : "2026-04-08T01:06:56Z", "bugzilla" : { "description" : "golang: cmd/compile: no-op interface conversion bypasses overlap checking", "id" : "2456340", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456340" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-440", "details" : [ "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.", "A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior." ], "statement" : "This issue is only exploitable in applications that contain a memory move or copy operation that is subject to a no-op (no-operation) interface conversion. Furthermore, the source and destination memory addresses involved in the move or copy must overlap and an attacker must be able to supply an input that triggers this specific operation. Due to these reasons, this flaw has been rated with a moderate severity.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10217", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "golang-0:1.25.9-3.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:16024", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "golang-0:1.25.9-1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10704", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "go-toolset:rhel8-8100020260422204008.a3795dee" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-24T00:00:00Z", "advisory" : "RHSA-2026:10219", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "golang-0:1.25.9-1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-11T00:00:00Z", "advisory" : "RHSA-2026:16021", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "golang-0:1.25.9-1.el9_6" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-09T00:00:00Z", "advisory" : "RHSA-2026:7291", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "golang1-26-main-1.26.2-1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7385", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "golang1-25-main-1.25.9-1.hum1" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11688", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/istio-cni-rhel8:1777374598" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11688", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/istio-rhel8-operator:1777320087" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11688", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/pilot-rhel8:1777319850" }, { "product_name" : "Red Hat OpenShift Service Mesh 2.6", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11688", "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8", "package" : "openshift-service-mesh/ratelimit-rhel8:1777319773" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16477", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/istio-cni-rhel9:1777883393" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16477", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/istio-pilot-rhel9:1777883471" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16477", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1777984344" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16477", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/istio-rhel9-operator:1778149127" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16505", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/istio-cni-rhel9:1777884045" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16505", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/istio-pilot-rhel9:1777884022" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16505", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1778125216" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16505", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/istio-rhel9-operator:1778149657" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16508", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/istio-cni-rhel9:1778007597" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16508", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/istio-pilot-rhel9:1778007366" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16508", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1778103735" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16508", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/istio-rhel9-operator:1778150474" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16537", "cpe" : "cpe:/a:redhat:service_mesh:3.3::el9", "package" : "openshift-service-mesh/istio-cni-rhel9:1778007548" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16537", "cpe" : "cpe:/a:redhat:service_mesh:3.3::el9", "package" : "openshift-service-mesh/istio-pilot-rhel9:1778007569" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16537", "cpe" : "cpe:/a:redhat:service_mesh:3.3::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1778012399" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.3", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16537", "cpe" : "cpe:/a:redhat:service_mesh:3.3::el9", "package" : "openshift-service-mesh/istio-rhel9-operator:1778151060" } ], "package_state" : [ { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Affected", "package_name" : "openshift-service-mesh/proxyv2-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Not affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "go-toolset", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Affected", "package_name" : "golang", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27144\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27144\nhttps://go.dev/cl/763764\nhttps://go.dev/issue/78371\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4867" ], "name" : "CVE-2026-27144", "mitigation" : { "value" : "To mitigate this issue, review code that performs memory copies or struct assignments. If data is being passed through an interface (such as 'any' or 'interface{}') just before a move operation, refactor the code to use concrete types or explicit pointers instead.", "lang" : "en:us" }, "csaw" : false }