Vulnerability Report: GO-2026-4340

CVE-2025-61730, CVE-2025-61730
Affects: crypto/tls
Published: Jan 28, 2026

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected Packages

Path

Versions

Symbols
crypto/tls

before go1.24.12, from go1.25.0 before go1.25.6
10 affected symbols

Aliases

CVE-2025-61730
CVE-2025-61730

References

https://go.dev/cl/724120
https://go.dev/issue/76443
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://vuln.go.dev/ID/GO-2026-4340.json

Credits

Coia Prant (github.com/rbqvq)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL