CVE-2026-27138

MEDIUM

Rust - DoS

Title source: llm

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

References (4)

[Various Sources] https://go.dev/cl/752183

[Issue Tracking] https://go.dev/issue/77953

[Mailing List] https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

[Various Sources] https://pkg.go.dev/vuln/GO-2026-4600

Scores

CVSS v3 5.9

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (2)

Go standard library/crypto/x509 1.26.0-0 - 1.26.1

golang/go 1.26.0

Published Mar 06, 2026

Tracked Since Mar 07, 2026