Home

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

PUBLISHED Reserved 2026-04-28 | Published 2026-05-22 | Updated 2026-05-22 | Assigner Go

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status
unaffected

Any version before 0.52.0
affected

References

go.dev/issue/79568

go.dev/cl/781220

groups.google.com/g/golang-announce/c/a082jnz-LvI

pkg.go.dev/vuln/GO-2026-5021

cve.org (CVE-2026-42508)

nvd.nist.gov (CVE-2026-42508)

Download JSON