Описание
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior.
Отчет
This issue is only exploitable in applications that contain a memory move or copy operation that is subject to a no-op (no-operation) interface conversion. Furthermore, the source and destination memory addresses involved in the move or copy must overlap and an attacker must be able to supply an input that triggers this specific operation. Due to these reasons, this flaw has been rated with a moderate severity.
Меры по смягчению последствий
To mitigate this issue, review code that performs memory copies or struct assignments. If data is being passed through an interface (such as 'any' or 'interface{}') just before a move operation, refactor the code to use concrete types or explicit pointers instead.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-golang-builder-container | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-golang-builder-container | Not affected | ||
| Red Hat Enterprise Linux 9 | go-toolset | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | golang | Affected | ||
| Red Hat OpenShift Virtualization 4 | openshift-golang-builder-container | Affected | ||
| Red Hat Enterprise Linux 10 | golang | Fixed | RHSA-2026:10217 | 23.04.2026 |
| Red Hat Enterprise Linux 10.0 Extended Update Support | golang | Fixed | RHSA-2026:16024 | 11.05.2026 |
| Red Hat Enterprise Linux 8 | go-toolset | Fixed | RHSA-2026:10704 | 27.04.2026 |
| Red Hat Enterprise Linux 9 | golang | Fixed | RHSA-2026:10219 | 24.04.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile
The compiler is meant to unwrap pointers which are the operands of a m ...
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
EPSS
8.1 High
CVSS3