CVE-2026-27138Improper Certificate Validation in Standard Library Crypto X509

CWE-295Improper Certificate Validation9 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 94.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library Crypto X509
Timeline
PublishedMar 6
Latest updateMar 10

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

CVEListV5go_standard_library/crypto_x5091.26.0-01.26.1

🔴Vulnerability Details

4
GHSA
GHSA-ph5j-38mg-j6hp: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr2026-03-07
OSV
CVE-2026-27138: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr2026-03-06
CVEList
Panic in name constraint checking for malformed certificates in crypto/x5092026-03-06
OSV
Panic in name constraint checking for malformed certificates in crypto/x5092026-03-06

📋Vendor Advisories

3
Microsoft
Panic in name constraint checking for malformed certificates in crypto/x5092026-03-10
Red Hat
crypto/x509: Panic in name constraint checking for malformed certificates in crypto/x5092026-03-06
Debian
CVE-2026-27138: golang-1.15 - Certificate verification can panic when a certificate in the chain has an empty ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27138 — Improper Certificate Validation | cvebase