GO-2026-5856

Source
https://pkg.go.dev/vuln/GO-2026-5856
Import Source
https://vuln.go.dev/ID/GO-2026-5856.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2026-5856
Aliases
  • CVE-2026-42505
Related
Published
2026-07-07T21:34:47Z
Modified
2026-07-08T20:29:26.756890979Z
Summary
Invoking Encrypted Client Hello privacy leak in crypto/tls
Details

Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.

Database specific
{
    "url": "https://pkg.go.dev/vuln/GO-2026-5856",
    "review_status": "REVIEWED"
}
References
Credits
    • Coia Prant (github.com/rbqvq)

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.12
Introduced
1.26.0-0
Fixed
1.26.5
Introduced
1.27.0-0
Fixed
1.27.0-rc.2

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/tls",
            "symbols": [
                "Conn.Handshake",
                "Conn.HandshakeContext",
                "Conn.Read",
                "Conn.Write",
                "Dial",
                "DialWithDialer",
                "Dialer.Dial",
                "Dialer.DialContext",
                "QUICConn.HandleData",
                "QUICConn.SendSessionTicket",
                "QUICConn.Start",
                "clientHelloMsg.marshalMsg"
            ]
        }
    ]
}

Database specific

source
"https://vuln.go.dev/ID/GO-2026-5856.json"