Home

Description

Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.

PUBLISHED Reserved 2026-04-28 | Published 2026-07-08 | Updated 2026-07-08 | Assigner Go

Problem types

CWE-201: Insertion of Sensitive Information Into Sent Data

Product status

Default status
unaffected

Any version before 1.25.12
affected

1.26.0-0 (semver) before 1.26.5
affected

1.27.0-0 (semver) before 1.27.0-rc.2
affected

Credits

Coia Prant (github.com/rbqvq)

References

go.dev/cl/775960

go.dev/issue/79282

groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc

pkg.go.dev/vuln/GO-2026-5856

cve.org (CVE-2026-42505)

nvd.nist.gov (CVE-2026-42505)

Download JSON