CVE-2026-33810
published 2026-04-08CVE-2026-33810: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different…
PriorityP345high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.34%
25.8th percentile
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.26 1.26.2-1 (sid) | golang-1.26 1.26.2-1 (sid) |
| debian | golang-1.19 | < golang-1.26 1.26.2-1 (sid) | golang-1.26 1.26.2-1 (sid) |
| debian | golang-1.24 | < golang-1.26 1.26.2-1 (sid) | golang-1.26 1.26.2-1 (sid) |
| debian | golang-1.25 | < golang-1.26 1.26.2-1 (sid) | golang-1.26 1.26.2-1 (sid) |
| debian | golang-1.26 | < golang-1.26 1.26.2-1 (sid) | golang-1.26 1.26.2-1 (sid) |
| go_standard_library | crypto_x509 | >= 1.26.0-0 < 1.26.2 | 1.26.2 |
| golang | go | >= 1.26.0 < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
crypto-x509 up to 1.26.1 on Go Certificate Chain certificate validation (Nessus ID 305653 / WID-SEC-2026-1006)
vuldb·2026-05-04·CVSS 8.2
CVE-2026-33810 [HIGH] crypto-x509 up to 1.26.1 on Go Certificate Chain certificate validation (Nessus ID 305653 / WID-SEC-2026-1006)
A vulnerability has been found in crypto-x509 up to 1.26.1 on Go and classified as critical. Affected is an unknown function of the component Certificate Chain Handler. This manipulation causes improper certificate validation.
This vulnerability is handled as CVE-2026-33810. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
OSV
CVE-2026-33810: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a d
osv·2026-04-08·CVSS 7.5
CVE-2026-33810 [HIGH] CVE-2026-33810: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a d
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
GHSA
GHSA-fv83-x2xw-2j55: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a d
ghsa_unreviewed·2026-04-08
CVE-2026-33810 GHSA-fv83-x2xw-2j55: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a d
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
OSV
Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
osv·2026-04-07
CVE-2026-33810 Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Red Hat
crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
vendor_redhat·2026-04-08·CVSS 7.5
CVE-2026-33810 [HIGH] CWE-1289 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate vali
Debian
CVE-2026-33810: golang-1.15 - When verifying a certificate chain containing excluded DNS constraints, these co...
vendor_debian·2026·CVSS 7.5
CVE-2026-33810 [HIGH] CVE-2026-33810: golang-1.15 - When verifying a certificate chain containing excluded DNS constraints, these co...
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27144 [HIGH] CVE-2026-27144 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27144 :
Golang vulnerability analysis and mitigation
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-race
go-toolset
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 202
Wiz
CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-32283 [MEDIUM] CVE-2026-32283 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32283 :
Golang vulnerability analysis and mitigation
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux
Wiz
CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27140 [HIGH] CVE-2026-27140 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27140 :
Golang vulnerability analysis and mitigation
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.19
golang-1.24
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Linux Has Fix Added at: Apr 09, 2026
Windows Has Fix Added at: Apr 09, 2026
## Get a CVE
Wiz
CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32280 [HIGH] CVE-2026-32280 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32280 :
Golang vulnerability analysis and mitigation
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.15
golang-1.19
Sources
NVD
Debian 11, 12, 13 Severity HIGH No Fix Added at: Apr 09, 2026
Wiz
CVE-2026-33810 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-33810 [MEDIUM] CVE-2026-33810 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33810 :
Golang vulnerability analysis and mitigation
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:golang:go
golang-1.26
Sources
NVD
Debian 14 Has Fix Adde
Wiz
CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27143 [CRITICAL] CVE-2026-27143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27143 :
Golang vulnerability analysis and mitigation
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Source : NVD
Published April 8, 2026
CNA Score N/A
Affected Technologies
Golang
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-1.24
golang-1.25
Sources
NVD
Debian 11, 12, 13 No Fix Added at: Apr 09, 2026
Debian 14 Has Fix Added at: Apr 09, 2026
Echo No Fix Added at: Apr 09, 2026
Red Hat 8, 9, 10 Severity MED
Bugzilla
CVE-2026-33810 golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application [fedora-all]
bugzilla·2026-04-09·CVSS 7.5
CVE-2026-33810 [HIGH] CVE-2026-33810 golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application [fedora-all]
CVE-2026-33810 golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33810 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
bugzilla·2026-04-08·CVSS 7.5
CVE-2026-33810 [HIGH] CVE-2026-33810 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
CVE-2026-33810 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
https://go.dev/cl/763763https://go.dev/issue/78332https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUhttps://pkg.go.dev/vuln/GO-2026-4866http://www.openwall.com/lists/oss-security/2026/04/19/4http://www.openwall.com/lists/oss-security/2026/04/20/1https://access.redhat.com/errata/RHSA-2026:10155https://access.redhat.com/errata/RHSA-2026:10158https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:14391https://access.redhat.com/errata/RHSA-2026:19135https://access.redhat.com/errata/RHSA-2026:19144https://access.redhat.com/errata/RHSA-2026:19353https://access.redhat.com/errata/RHSA-2026:19719https://access.redhat.com/errata/RHSA-2026:19720https://access.redhat.com/errata/RHSA-2026:19721https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:22485https://access.redhat.com/errata/RHSA-2026:22862https://access.redhat.com/errata/RHSA-2026:22958https://access.redhat.com/errata/RHSA-2026:22959https://access.redhat.com/errata/RHSA-2026:22960https://access.redhat.com/errata/RHSA-2026:22961https://access.redhat.com/errata/RHSA-2026:22962https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/errata/RHSA-2026:24478https://access.redhat.com/errata/RHSA-2026:25089https://access.redhat.com/errata/RHSA-2026:26568https://access.redhat.com/errata/RHSA-2026:26571https://access.redhat.com/errata/RHSA-2026:26585https://access.redhat.com/errata/RHSA-2026:28047https://access.redhat.com/errata/RHSA-2026:29854https://access.redhat.com/errata/RHSA-2026:7291https://access.redhat.com/errata/RHSA-2026:9385https://access.redhat.com/security/cve/CVE-2026-33810https://bugzilla.redhat.com/show_bug.cgi?id=2456335https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33810.json
2026-04-08
Published