{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27138", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-03-06T21:28:14.000Z", "dateUpdated": "2026-03-10T13:35:19.784Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-08T05:56:21.000Z"}, "title": "Panic in name constraint checking for malformed certificates in crypto/x509", "descriptions": [{"lang": "en", "value": "Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "dnsConstraints.query"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77953"}, {"url": "https://go.dev/cl/752183"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4600"}], "credits": [{"lang": "en", "value": "Jakub Ciolek"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:34:15.972110Z", "id": "CVE-2026-27138", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:35:19.784Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27138", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:34:15.972110Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:35:03.116Z"}}], "cna": {"title": "Panic in name constraint checking for malformed certificates in crypto/x509", "credits": [{"lang": "en", "value": "Jakub Ciolek"}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "versions": [{"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "crypto/x509", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "dnsConstraints.query"}, {"name": "Certificate.Verify"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77953"}, {"url": "https://go.dev/cl/752183"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4600"}], "descriptions": [{"lang": "en", "value": "Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-08T05:56:21.000Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27138", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:35:19.784Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:14.000Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "A40FE3CB-0D03-462B-8A19-4DF1920ABE82", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS."}, {"lang": "es", "value": "La verificaci\u00f3n de certificados puede entrar en p\u00e1nico cuando un certificado en la cadena tiene un nombre DNS vac\u00edo y otro certificado en la cadena tiene restricciones de nombre excluidas. Esto puede bloquear programas que est\u00e1n verificando directamente cadenas de certificados X.509, o aquellos que usan TLS."}], "id": "CVE-2026-27138", "lastModified": "2026-04-21T14:39:28.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:00.963", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://go.dev/cl/752183"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/77953"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4600"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "crypto/x509: Panic in name constraint checking for malformed certificates in crypto/x509", "id": "2445344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445344"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-295", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27138", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-06T21:28:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27138\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27138\nhttps://go.dev/cl/752183\nhttps://go.dev/issue/77953\nhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\nhttps://pkg.go.dev/vuln/GO-2026-4600"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.26.1)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "crypto/x509", "source": "cna", "vendor": "Go standard library"}, "product": "crypto_tls", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-16T11:06:32.670236+00:00", "value": {"mitigation_remediation": ["Upgrade the Go toolchain to the latest release that contains the crypto/x509 patch (consult the Go issue tracker for the specific release).", "Rebuild all Go binaries that depend on the standard library to ensure they link against the updated package and redeploy the binaries to the target hosts.", "As a temporary measure, configure TLS connections to reject certificates with empty DNS names or use a third\u2011party library that performs stricter name constraint validation until the Go library fix is deployed."], "summary": {"action": "Update Go", "impact": "Denial of Service through program crash caused by certificate verification panic"}, "threat_synthesis": {"affected_systems": "The affected component is the Go standard library package crypto/x509, which is used by all Go applications that validate certificates or establish TLS connections. Any Go program built with an unpatched standard library version is susceptible. The specific Go release numbers that contain the vulnerability are not listed in the input; the issue is documented by the Go team and fixed in later releases (see the referenced issue links).", "description_and_impact": "Certificate verification panics when a chain contains a certificate with an empty DNS name and another certificate that has name constraints excluding that name. The panic aborts the verification routine and causes the program to terminate, producing a denial of service. Programs that directly verify X.509 chains or those that use TLS will crash. The weakness originates from unsafe error handling during name constraint checking and is identified as CWE\u2011295.", "risk_and_exploitability": "With a CVSS score of 5.9 the vulnerability is of moderate severity and an EPSS score of less than 1\u202f% indicates a very low probability of exploitation. It is not listed in the CISA KEV catalog. The most likely attack vector is remote, wherein an attacker supplies a crafted certificate chain\u2014such as during an HTTPS handshake\u2014to a server or client that performs TLS handshakes. The attacker must control the certificate chain; no privileged escalation is required, but the induced crash would deny service to users of the affected application."}}}}, "created": "2026-03-09T10:06:45.153588+00:00", "updated": "2026-04-16T11:15:27.681318+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$crypto_tls"]}