CVE-2026-27138 — MEDIUM (5.9)

Vulnerability Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Golang	Go	1.26.0

Related Weaknesses (CWE)

CWE-295

References

https://go.dev/cl/752183Mailing List
https://go.dev/issue/77953Issue Tracking
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hkRelease Notes
https://pkg.go.dev/vuln/GO-2026-4600Vendor Advisory

FAQ

What is CVE-2026-27138?

CVE-2026-27138 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either dir...

How severe is CVE-2026-27138?

CVE-2026-27138 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27138?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.