Vulnerability Description
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | >= 1.26.0, < 1.26.2 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/763763Patch
- https://go.dev/issue/78332Issue Tracking
- https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2026-4866Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/04/19/4
- http://www.openwall.com/lists/oss-security/2026/04/20/1
FAQ
What is CVE-2026-33810?
CVE-2026-33810 is a vulnerability with a CVSS score of 8.2 (HIGH). When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affec...
How severe is CVE-2026-33810?
CVE-2026-33810 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33810?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.