CVE-2026-27138 | THREATINT

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

PUBLISHED Reserved 2026-02-17 | Published 2026-03-06 | Updated 2026-03-08 | Assigner Go

Problem types

CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input

Product status

Default status

unaffected

1.26.0-0 (semver) before 1.26.1

affected

Credits

Jakub Ciolek

References

groups.google.com/g/golang-announce/c/EdhZqrQ98hk

go.dev/issue/77953

go.dev/cl/752183

pkg.go.dev/vuln/GO-2026-4600

cve.org (CVE-2026-27138)

nvd.nist.gov (CVE-2026-27138)

Download JSON