When the compiler lies: breaking memory safety in safe Go (ciolek.dev)

Jakub Ciolek reports two Go compiler bugs (CVE-2026-27143 and CVE-2026-27144) that can break Go’s memory-safety guarantees using only safe Go code. The issues involve the compiler making incorrect “proved safe” assumptions—one around signed integer wrap in induction-variable bounds leading to missing bounds checks, and another around overlapping-memory handling being skipped due to a no-op conversion. Ciolek notes the common failure mode is “counterfeit certainty” across different compiler phases, stressing that memory safety depends on the whole toolchain, not just the language.