Fluid Attacks Database

Description

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=1.26.0-0 <1.26.2	1.26.2
debian 14	golang-1.26	=1.26.0-1 \|\| =1.26.1-1 \|\| =1.26~rc2-1 \|\| =1.26~rc3-1 \|\| =1.26~rc3-2 \|\| >=0 <1.26.2-1	1.26.2-1
rpm rhel10	ignition	-	-
rpm rhel8	buildah	-	-
rpm rhel10	conmon	-	-
rpm rhel9	conmon	-	-
rpm rhel8	containernetworking-plugins	-	-
rpm rhel10	delve	-	-
rpm rhel10	git-lfs	-	-
rpm rhel9	git-lfs	-	-

1-10 of 40

Aliases

1. CVE-2026-338102. NVD-2026-338103. OSV-GO-2026-48664. OSV-2026-338105. OSV-DEBIAN-2026-338106. GCVE-2026-338107. SECURITY-TRACKER-CVE-2026-33810

References

1. https://go.dev/cl/7637632. https://go.dev/issue/783323. https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU