CVE-2026-27138
Certificate Verification Panic in Go TLS Causes Program Crashes
Publication date: 2026-03-06
Last updated on: 2026-04-21
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | 1.26.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs during certificate verification when a certificate chain includes a certificate with an empty DNS name and another certificate with excluded name constraints. This situation can cause the verification process to panic, leading to a crash in programs that verify X.509 certificate chains or use TLS.
How can this vulnerability impact me? :
The vulnerability can cause programs that verify X.509 certificate chains or use TLS to crash unexpectedly. This can lead to denial of service or interruption of secure communications, potentially affecting the availability and reliability of applications relying on certificate verification.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know