Previously, slices and arrays accessed using induction variables
were sometimes incorrectly proved in-bound. If the induction variable
used for indexing were to overflow or underflow, it could allow access
to memory beyond the scope of the original slice or array.
To prevent this behavior, the compiler ensures that any mutated induction
variable that overflows/underflows with respect to its loop condition
is not used for bound check elimination.
Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.
This is CVE-2026-27143 and Go issue https://go.dev/issue/78333.
This is a PRIVATE issue for CVE-2026-27143, tracked in http://b/489466309 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3700.
/cc @golang/security and @golang/release
Previously, slices and arrays accessed using induction variables
were sometimes incorrectly proved in-bound. If the induction variable
used for indexing were to overflow or underflow, it could allow access
to memory beyond the scope of the original slice or array.
To prevent this behavior, the compiler ensures that any mutated induction
variable that overflows/underflows with respect to its loop condition
is not used for bound check elimination.
Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.
This is CVE-2026-27143 and Go issue https://go.dev/issue/78333.
This is a PRIVATE issue for CVE-2026-27143, tracked in http://b/489466309 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3700.
/cc @golang/security and @golang/release