Vulnerability Report: GO-2026-5037

CVE-2026-27145
Affects: crypto/x509
Published: Jun 02, 2026

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected Packages

Path

Versions

Symbols
crypto/x509

before go1.25.11, from go1.26.0-0 before go1.26.4

Aliases

CVE-2026-27145

References

https://go.dev/cl/783621
https://go.dev/issue/79694
https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
https://vuln.go.dev/ID/GO-2026-5037.json

Credits

Jakub Ciolek - https://ciolek.dev/

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL