Description
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Published: 2026-03-06
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through program crash caused by certificate verification panic
Action: Update Go
AI Analysis

Impact

Certificate verification panics when a chain contains a certificate with an empty DNS name and another certificate that has name constraints excluding that name. The panic aborts the verification routine and causes the program to terminate, producing a denial of service. Programs that directly verify X.509 chains or those that use TLS will crash. The weakness originates from unsafe error handling during name constraint checking and is identified as CWE‑295.

Affected Systems

The affected component is the Go standard library package crypto/x509, which is used by all Go applications that validate certificates or establish TLS connections. Any Go program built with an unpatched standard library version is susceptible. The specific Go release numbers that contain the vulnerability are not listed in the input; the issue is documented by the Go team and fixed in later releases (see the referenced issue links).

Risk and Exploitability

With a CVSS score of 5.9 the vulnerability is of moderate severity and an EPSS score of less than 1 % indicates a very low probability of exploitation. It is not listed in the CISA KEV catalog. The most likely attack vector is remote, wherein an attacker supplies a crafted certificate chain—such as during an HTTPS handshake—to a server or client that performs TLS handshakes. The attacker must control the certificate chain; no privileged escalation is required, but the induced crash would deny service to users of the affected application.

Generated by OpenCVE AI on April 16, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Go toolchain to the latest release that contains the crypto/x509 patch (consult the Go issue tracker for the specific release).
  • Rebuild all Go binaries that depend on the standard library to ensure they link against the updated package and redeploy the binaries to the target hosts.
  • As a temporary measure, configure TLS connections to reject certificates with empty DNS names or use a third‑party library that performs stricter name constraint validation until the Go library fix is deployed.

Generated by OpenCVE AI on April 16, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
CPEs cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library crypto Tls
Vendors & Products Go Standard Library
Go Standard Library crypto Tls

Fri, 06 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Title Panic in name constraint checking for malformed certificates in crypto/x509
References

Subscriptions

Go Standard Library Crypto Tls
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-10T13:35:19.784Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27138

cve-icon Vulnrichment

Updated: 2026-03-10T13:35:03.116Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:00.963

Modified: 2026-04-21T14:39:28.073

Link: CVE-2026-27138

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-06T21:28:14Z

Links: CVE-2026-27138 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses