The bug lies in Go's crypto/x509 implementation of name constraint enforcement during certificate chain verification. When a certificate chain includes excluded DNS constraints, the constraints are not correctly applied to wildcard DNS SAN entries that differ in case from the constraint. This logic flaw allows an otherwise trusted chain to satisfy the excludedSubtrees rule, effectively bypassing the intended restriction. The weakness maps to CWE‑1289 – improper constraint application – and CWE‑295, and results in an attacker gaining unauthorized access by presenting a certificate chain that would normally be rejected.

All instances of the Go standard library’s crypto/x509 package are affected. The flaw impacts any application that validates certificate chains against a root CA supplied via VerifyOptions.Roots CertPool or the system certificate pool. No specific version range was provided in the advisory, so any Go runtime using the vulnerable logic is at risk.

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1 % suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, yet it remains a concern for applications that rely on strict name constraint enforcement for internal security controls. Attackers can exploit this flaw by crafting a certificate chain that appears valid under Go’s verification logic but actually violates name constraints, thereby gaining authentication bypass. The most likely attack vector is remote, through network connections that trigger TLS handshakes or other certificate evaluations by Go applications.