5.9

CVE-2026-27138

EPSS 0.03%
Veröffentlicht 06.03.2026 21:28:14
Zuletzt bearbeitet 21.04.2026 14:39:28
Quelle security@golang.org
CVE-Watchlists
Login
Unerledigt
Login

Panic in name constraint checking for malformed certificates in crypto/x509

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version1.26.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.085

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Release Notes

https://go.dev/issue/77953

Issue Tracking

https://go.dev/cl/752183

Mailing List

https://pkg.go.dev/vuln/GO-2026-4600

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27138

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27138

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27138

EUVD