Vulnerability DatabaseCVE-2026-27145
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27145
Published:June 02, 2026
Updated:June 04, 2026
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
Affected Packages
https://github.com/golang/go.git (GITHUB):
Affected version(s) >=go1 <go1.25.11
Fix Suggestion:
Update to version go1.25.11
https://github.com/golang/go.git (GITHUB):
Affected version(s) >=go1.26.0 <go1.26.4
Fix Suggestion:
Update to version go1.26.4
github.com/golang/go (GO):
Affected version(s) >=go1.26.0 <go1.26.4
Fix Suggestion:
Update to version go1.26.4
github.com/golang/go (GO):
Affected version(s) >=go1 <go1.25.11
Fix Suggestion:
Update to version go1.25.11
Related Resources (4)
https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
https://pkg.go.dev/vuln/GO-2026-5037
https://go.dev/cl/783621
https://go.dev/issue/79694
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
HIGH