CVE-2025-68121

EUVD-2025-206854

05.02.2026, 18:16

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
golang	go	𝑥 < 1.24.13
golang	go	1.25.0 ≤ 𝑥 < 1.25.7
golang	go	1.26.0:rc1
golang	go	1.26.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-1.15

bullseye

postponed

golang-1.19

bookworm

no-dsa

golang-1.24

trixie

no-dsa

golang-1.25

forky	1.25.10-1 fixed
sid	1.25.10-2 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

buildah

RHEL 9

2:1.41.8-2.el9_7

fixed

buildah-tests

RHEL 9

2:1.41.8-2.el9_7

fixed

containernetworking-plugins

RHEL 9

1:1.7.1-3.el9_7

fixed

delve

RHEL 9

0:1.25.2-2.el9_7

fixed

git-lfs

RHEL 9

0:3.6.1-7.el9_7

fixed

go-toolset

RHEL 9

0:1.25.7-1.el9_7

fixed

golang

RHEL 9

0:1.25.7-1.el9_7

fixed

golang-bin

RHEL 9

0:1.25.7-1.el9_7

fixed

golang-docs

RHEL 9

0:1.25.7-1.el9_7

fixed

golang-misc

RHEL 9

0:1.25.7-1.el9_7

fixed

golang-race

RHEL 9

0:1.25.7-1.el9_7

fixed

golang-src

RHEL 9

0:1.25.7-1.el9_7

fixed

golang-tests

RHEL 9

0:1.25.7-1.el9_7

fixed

grafana

RHEL 8	0:9.2.10-28.el8_10 fixed
RHEL 9	0:10.2.6-18.el9_7 fixed

grafana-pcp

RHEL 9

0:5.1.1-12.el9_7

fixed

grafana-selinux

RHEL 8	0:9.2.10-28.el8_10 fixed
RHEL 9	0:10.2.6-18.el9_7 fixed

image-builder

RHEL 9

0:31-3.el9_7

fixed

opentelemetry-collector

RHEL 9

0:0.144.0-1.el9_7

fixed

osbuild-composer

RHEL 8	0:101.4-4.el8_10 fixed
RHEL 9	0:149-4.el9_7 fixed

osbuild-composer-core

RHEL 8	0:101.4-4.el8_10 fixed
RHEL 9	0:149-4.el9_7 fixed

osbuild-composer-worker

RHEL 8	0:101.4-4.el8_10 fixed
RHEL 9	0:149-4.el9_7 fixed

podman

RHEL 9

6:5.6.0-14.el9_7

fixed

podman-docker

RHEL 9

6:5.6.0-14.el9_7

fixed

podman-plugins

RHEL 9

6:5.6.0-14.el9_7

fixed

podman-remote

RHEL 9

6:5.6.0-14.el9_7

fixed

podman-tests

RHEL 9

6:5.6.0-14.el9_7

fixed

rhc

RHEL 9

1:0.2.7-2.el9_7

fixed

rhc-devel

RHEL 9

1:0.2.7-2.el9_7

fixed

runc

RHEL 9

4:1.4.0-2.el9_7

fixed

skopeo

RHEL 9

2:1.20.0-3.el9_7

fixed

skopeo-tests

RHEL 9

2:1.20.0-3.el9_7

fixed

Known Exploits!

https://go.dev/issue/77217

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

Vulnerability Media Exposure

[GERMAN] Splunk Splunk Enterprise: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Splunk Splunk Enterprise ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-20T22:00:00+00:00

References

https://go.dev/cl/737700

https://go.dev/issue/77217

https://groups.google.com/g/golang-announce/c/K09ubi9FQFk

https://pkg.go.dev/vuln/GO-2026-4337