GO-2026-4866

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-4866

Import Source

https://vuln.go.dev/ID/GO-2026-4866.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-4866

Aliases

CVE-2026-33810

Published

2026-04-07T22:53:49Z

Modified

2026-04-08T01:15:22.472258Z

Summary

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

Details

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-4866"
}

References

Credits

- Riyas from Saintgits College of Engineering
- k1rnt
- @1seal

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

1.26.0-0

Fixed

1.26.2

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/x509",
            "symbols": [
                "Certificate.Verify",
                "dnsConstraints.query",
                "newDNSConstraints"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-4866.json"