CVE-2026-39821
CRITICALInvoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
Title source: cnaDescription
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
References (49)
Core 49
Core References
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:23262
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:23264
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26546
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26547
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:30650
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:30651
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:30853
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:30854
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:30855
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33155
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33160
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33163
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33173
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33183
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-39821
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2480756
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34789
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35829
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35993
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35994
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36167
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33524
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:33531
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34342
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34357
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34359
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:34364
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35826
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35827
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35828
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35830
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:35831
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36105
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36207
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36648
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36651
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36796
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36797
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36808
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36820
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:36883
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:37387
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:37435
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:37436
Scores
CVSS v3
9.6
EPSS
0.0048
EPSS Percentile
38.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1289
Status
published
Products (2)
golang/net
< 0.55.0
golang.org/x/net/golang.org/x/net/idna
< 0.55.0
Published
May 22, 2026
Tracked Since
May 22, 2026