CVE-2026-27138
published 2026-03-06CVE-2026-27138: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints…
PriorityP428medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.35%
26.9th percentile
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.19 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.24 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.25 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.26 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| go_standard_library | crypto_x509 | >= 1.26.0-0 < 1.26.1 | 1.26.1 |
| golang | go | — | — |
| msrc | azl3_golang_1.25.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.26.0-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv5.9MEDIUM
vendor_debian5.9LOW
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ph5j-38mg-j6hp: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr
ghsa_unreviewed·2026-03-07
CVE-2026-27138 [MEDIUM] GHSA-ph5j-38mg-j6hp: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
OSV
CVE-2026-27138: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr
osv·2026-03-06·CVSS 5.9
CVE-2026-27138 [MEDIUM] CVE-2026-27138: Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constr
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
OSV
Panic in name constraint checking for malformed certificates in crypto/x509
osv·2026-03-06
CVE-2026-27138 Panic in name constraint checking for malformed certificates in crypto/x509
Panic in name constraint checking for malformed certificates in crypto/x509
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Microsoft
Panic in name constraint checking for malformed certificates in crypto/x509
vendor_msrc·2026-03-10·CVSS 5.9
CVE-2026-27138 [MEDIUM] Panic in name constraint checking for malformed certificates in crypto/x509
Panic in name constraint checking for malformed certificates in crypto/x509
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
crypto/x509: Panic in name constraint checking for malformed certificates in crypto/x509
vendor_redhat·2026-03-06·CVSS 5.9
CVE-2026-27138 [MEDIUM] CWE-295 crypto/x509: Panic in name constraint checking for malformed certificates in crypto/x509
crypto/x509: Panic in name constraint checking for malformed certificates in crypto/x509
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
A certificate validation flaw has been discovered in the golang crypto/x509 module. Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Mitigation: Mitigation for this issue is either not available or the currently available optio
Debian
CVE-2026-27138: golang-1.15 - Certificate verification can panic when a certificate in the chain has an empty ...
vendor_debian·2026·CVSS 5.9
CVE-2026-27138 [MEDIUM] CVE-2026-27138: golang-1.15 - Certificate verification can panic when a certificate in the chain has an empty ...
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-6010 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-6010 [HIGH] CVE-2025-6010 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-6010 :
HashiCorp Vault vulnerability analysis and mitigation
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Source : NVD
Published February 10, 2026
Severity MEDIUM
CNA Score N/A
High-profile Vulnerability Yes
Affected Technologies
HashiCorp Vault
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:hashicorp:vault
Sources
Linux Severity MEDIUM Has Fix Added at: Aug 13, 2025
Windows Severity MEDIUM Has Fix Added at: Aug 13, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2026-26958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-26958 [LOW] CVE-2026-26958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26958 :
HashiCorp Vault vulnerability analysis and mitigation
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 o
Wiz
CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27138 [HIGH] CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27138 :
HashiCorp Vault vulnerability analysis and mitigation
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Source : NVD
## 5.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
HashiCorp Vault
Prometheus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aws-otel-collector
gitlab-runner-fips-18.9
Sources
NVD
Alpine edge Severity MEDIUM Has Fix Added a
2026-03-06
Published