GO-2026-4600

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-4600

Import Source

https://vuln.go.dev/ID/GO-2026-4600.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-4600

Aliases

CVE-2026-27138

Published

2026-03-06T21:03:42Z

Modified

2026-03-09T01:12:03.060083Z

Summary

Panic in name constraint checking for malformed certificates in crypto/x509

Details

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-4600"
}

References

Credits

- Jakub Ciolek

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

1.26.0-0

Fixed

1.26.1

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/x509",
            "symbols": [
                "Certificate.Verify",
                "dnsConstraints.query"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-4600.json"