Fluid Attacks Database

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.25.11	1.25.11
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| =1.25.10-1 \|\| =1.25.10-1~bpo13+1 \|\| =1.25.10-2 \|\| =1.25.10-2~bpo13+1 \|\| =1.25.11-1 \|\| =1.25.2-1 \|\| =1.25.3-1 \|\| =1.25.6-1 \|\| =1.25.7-1 \|\| =1.25.7-2 \|\| =1.25.8-1 \|\| =1.25.9-1	-
debian 14	golang-1.26	=1.26.0-1 \|\| =1.26.1-1 \|\| =1.26.2-1 \|\| =1.26.2-2 \|\| =1.26.2-3 \|\| =1.26.3-1 \|\| =1.26.3-1~bpo13+1 \|\| =1.26.3-2 \|\| =1.26.3-2~bpo13+1 \|\| =1.26.4-1 \|\| =1.26~rc2-1 \|\| =1.26~rc3-1 \|\| =1.26~rc3-2	-

Aliases

1. CVE-2026-271452. NVD-2026-271453. OSV-GO-2026-50374. OSV-2026-271455. OSV-DEBIAN-2026-271456. GCVE-2026-271457. SECURITY-TRACKER-CVE-2026-27145

References

1. https://go.dev/cl/7836212. https://go.dev/issue/796943. https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw4. https://github.com/HORKimhab/CVE-2026-27145

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.