CVE-2026-27138

MEDIUM5.9EPSS 0.03%

Panic in name constraint checking for malformed certificates in crypto/x509

Published: 3/6/2026Modified: 5/15/2026

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Affected packages (3)

Bitnami/golang>= 1.26.0-0, < 1.26.1
Debian/golang-1.26from 0, < 1.26.1-1
Go/stdlib>= 1.26.0-0, < 1.26.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27138
PATCHhttps://go.dev/cl/752183
REPORThttps://go.dev/issue/77953
WEBhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27138
WEBhttps://pkg.go.dev/vuln/GO-2026-4600