Primary

Context

Go Compiler Arithmetic Vulnerability in Induction Variables Allows Memory Corruption

Vulnerability

Patched

A vulnerability exists in the Go compiler's handling of induction variables in loops. The compiler failed to properly check these variables for arithmetic underflow or overflow, which could lead to invalid memory indexing at runtime. This issue has been identified in the Go command compilation process, specifically in versions prior to 1.25.9 and between 1.26.0 and 1.26.2.

Impact

Exploitation of this vulnerability could result in memory corruption by allowing access to memory outside the bounds of arrays or slices.

Remediation

Users can upgrade to Go versions 1.26.2 or 1.25.9, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.

Added: Apr 8, 2026, 2:28 AM

Updated: Apr 8, 2026, 2:28 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

5.0

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

5.0

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Compiler Arithmetic Vulnerability in Induction Variables Allows Memory Corruption

Vulnerability

Impact

Remediation

Affected Products

golang cmd/compile

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating