CVE-2026-39821

CRITICAL 9.6

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

CVSS Score

9.6

EPSS Score

0.0%

EPSS Percentile

0th

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Vendor	golang.org/x/net
Product	golang.org/x/net/idna
Published	May 22, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for golang.org/x/net golang.org/x/net/idna

Be the first to know when new critical vulnerabilities affecting golang.org/x/net golang.org/x/net/idna are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

golang.org/x/net / golang.org/x/net/idna

0 < 0.55.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

go.dev: https://go.dev/cl/767220 go.dev: https://go.dev/issue/78760 groups.google.com: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-5026

Credits

KC1zs4 (https://github.com/KC1zs4)