CVE-2026-27138 PUBLISHED

Panic in name constraint checking for malformed certificates in crypto/x509

Assigner: Go
Reserved: 17.02.2026 Published: 06.03.2026 Updated: 06.03.2026

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Product Status

Vendor	Go standard library
Product	crypto/x509
Versions	Default: unaffected affected from 0 to 1.26.1 (excl.)

Credits

Jakub Ciolek

References

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://go.dev/issue/77953
https://go.dev/cl/752183
https://pkg.go.dev/vuln/GO-2026-4600

Problem Types

CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input