CVE-2026-39821

CRITICAL

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Title source: cna
STIX 2.1

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

References (49)

Core 49
Core References

Scores

CVSS v3 9.6
EPSS 0.0048
EPSS Percentile 38.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1289
Status published
Products (2)
golang/net < 0.55.0
golang.org/x/net/golang.org/x/net/idna < 0.55.0
Published May 22, 2026
Tracked Since May 22, 2026