CVE-2026-27138

MEDIUM

Go standard library crypto/x509 1.26.0 - Denial of Service via Empty DNS Name in Certificate Chain

Title source: llm

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

References (4)

Core 4

Core References

Various Sources

https://go.dev/cl/752183

Issue Tracking

https://go.dev/issue/77953

Mailing List

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Various Sources

https://pkg.go.dev/vuln/GO-2026-4600

Scores

CVSS v3 5.9

EPSS 0.0035

EPSS Percentile 26.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (2)

Go standard library/crypto/x509 1.26.0-0 - 1.26.1

golang/go 1.26.0

Published Mar 06, 2026

Tracked Since Mar 07, 2026