Home

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

PUBLISHED Reserved 2026-02-17 | Published 2026-06-02 | Updated 2026-06-04 | Assigner Go

Problem types

CWE-407: Inefficient Algorithmic Complexity

Product status

Default status
unaffected

Any version before 1.25.11
affected

1.26.0-0 (semver) before 1.26.4
affected

Credits

Jakub Ciolek - https://ciolek.dev/

References

go.dev/cl/783621

go.dev/issue/79694

groups.google.com/g/golang-announce/c/tKs3rmcBcKw

pkg.go.dev/vuln/GO-2026-5037

cve.org (CVE-2026-27145)

nvd.nist.gov (CVE-2026-27145)

Download JSON