CVE-2026-27138

MEDIUM 5.9

Panic in name constraint checking for malformed certificates in crypto/x509

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Vendor	go standard library
Product	crypto/x509
Published	Mar 6, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for go standard library crypto/x509

Be the first to know when new medium vulnerabilities affecting go standard library crypto/x509 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Go standard library / crypto/x509

1.26.0-0 < 1.26.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

groups.google.com: https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk go.dev: https://go.dev/issue/77953 go.dev: https://go.dev/cl/752183 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4600

Credits

Jakub Ciolek