CVE-2026-39821 - Vulnerability Details

- Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Published: 2026-05-22

Score: 10 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

ToASCII and ToUnicode functions in golang.org/x/net’s idna package incorrectly accept Punycode‑encoded labels that decode to an ASCII‑only domain. Instead of returning an error, the functions return the ASCII name, allowing an attacker to supply an encoded hostname that passes initial ASCII validation but resolves to the same Unicode name after conversion. This flaw permits a program that performs privilege checks on the ASCII form but later uses the Unicode form to bypass authorization controls, resulting in privilege escalation.

Affected Systems

The vulnerable component is the idna package within the golang.org/x/net Go module. No specific vulnerable version range is enumerated in the advisory; any release containing the bug before the fix is potentially affected. Systems that compile Go binaries or import older versions of golang.org/x/net should verify whether the patch has been applied.

Risk and Exploitability

The risk materializes when an application uses idna for hostname validation in authentication or access control. An attacker can provide a Punycode hostname that looks legitimate in ASCII checks yet matches the same Unicode name later, enabling privilege escalation. The CVSS score of 10.0 denotes critical severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the high severity and potential for privilege escalation keep the threat significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

golang.org/x/net

golang.org/x/net/idna

unaffected

Version	Status	Constraints
`0`	affected	< 0.55.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade golang.org/x/net to a version that includes the idna bug fix (see https://go.dev/issue/78760).
If an immediate update is not possible, add a validation step that rejects any Punycode label whose Unicode conversion yields a name containing only ASCII characters before performing privilege checks.
Ensure that host names used for authorization contain at least one non‑ASCII character after conversion, and treat conversions that produce only ASCII as errors.

Generated by OpenCVE AI on May 22, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://go.dev/cl/767220
https://go.dev/issue/78760
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://pkg.go.dev/vuln/GO-2026-5026

History

Fri, 22 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20 CWE-264

Fri, 22 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1289
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-264

Fri, 22 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Title		Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
References		https://go.dev/cl/767220 https://go.dev/issue/78760 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://pkg.go.dev/vuln/GO-2026-5026

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-22T15:01:21.462Z

Updated: 2026-05-23T03:55:57.406Z

Reserved: 2026-04-07T18:13:03.526Z

Link: CVE-2026-39821

Vulnrichment

Updated: 2026-05-22T18:01:10.401Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T22:30:02Z

Weaknesses

CWE-1289

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object