CVE-2026-27138

Published: Mar 6, 2026Modified: Apr 21, 2026

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.2 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Affected (1)

Products: Golang: Go

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Version 1.26.0

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (4)

https://go.dev/cl/752183

Source: security@golang.org

Mailing List

https://go.dev/issue/77953

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Source: security@golang.org

Release Notes

https://pkg.go.dev/vuln/GO-2026-4600

Source: security@golang.org

Vendor Advisory

Timeline

No history available yet.