CVE-2026-27138

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
1.15.15-1~deb11u4
fixed
golang-1.19
bookworm
1.19.8-2
fixed
golang-1.24
forky
1.24.13-2
fixed
sid
1.24.13-2
fixed
trixie
1.24.4-1
fixed
golang-1.25
forky
1.25.7-2
fixed
sid
1.25.7-2
fixed
golang-1.26
forky
vulnerable
sid
vulnerable
Vulnerability Media Exposure
References
https://go.dev/cl/752183
https://go.dev/issue/77953
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4600