Fluid Attacks Database

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=1.26.0-0 <1.26.1	1.26.1
debian 14	golang-1.26	=1.26.0-1 \|\| =1.26~rc2-1 \|\| =1.26~rc3-1 \|\| =1.26~rc3-2 \|\| >=0 <1.26.1-1	1.26.1-1
rpm rhel10	golang	-	-
rpm rhel8	golang	-	-
rpm rhel9	golang	-	-

Aliases

1. CVE-2026-271382. NVD-2026-271383. OSV-GO-2026-46004. OSV-2026-271385. OSV-DEBIAN-2026-271386. GCVE-2026-271387. SECURITY-TRACKER-CVE-2026-27138

References

1. https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk2. https://go.dev/issue/779533. https://go.dev/cl/752183

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.