CVE-2026-27145

EUVD-2026-34038

02.06.2026, 23:16

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

golang-1.15

bullseye

vulnerable

golang-1.19

bookworm

vulnerable

golang-1.24

trixie

vulnerable

golang-1.25

forky	vulnerable
sid	vulnerable

golang-1.26

forky	vulnerable
sid	vulnerable

Vulnerability Media Exposure

[GERMAN] Golang Go: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen, um einen Denial of Service durchzuführen, und um falsche Informationen darzustellen.
Published: 2026-06-02T22:00:00+00:00

References

https://go.dev/cl/783621

https://go.dev/issue/79694

https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

https://pkg.go.dev/vuln/GO-2026-5037