alt Hacker NewsGo ahead and demonstrate it. Obviously, I'm saying this because nobody has managed to do this in a real Go program. You can contrive vulnerabilities in any language.
It's not like this is a small track record. There is a lot of Go code, a fair bit of it important, and memory corruption exploits in non-FFI Go code is... not a thing. Like at all.
Go is rarely used in contexts where an attacker can groom the heap before doing the attack. The closest one is probably a breakout from an exposed container on a host with a Docker runtime.
I triggered SSM agent crashes while developing my https://github.com/Cyberax/gimlet by doing concurrent requests.
I'm certain that they could have been used to do code execution, but it just makes no real sense given the context.