CVE-2026-27138

MEDIUM5.9EPSS 0.03%

Panic in name constraint checking for malformed certificates in crypto/x509

發布日:2026/3/6修改日:2026/5/15

描述

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

受影響套件(3)

Bitnami/golang>= 1.26.0-0, < 1.26.1
Debian/golang-1.26from 0, < 1.26.1-1
Go/stdlib>= 1.26.0-0, < 1.26.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27138
PATCHhttps://go.dev/cl/752183
REPORThttps://go.dev/issue/77953
WEBhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27138
WEBhttps://pkg.go.dev/vuln/GO-2026-4600