CVE-2026-33810
Improper DNS Constraint Validation in Go Certificate Verification
Publication date: 2026-04-08
Last updated on: 2026-04-20
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33810 is a vulnerability in the Go programming language's crypto/x509 package that affects the verification of certificate chains containing excluded DNS constraints.
The issue occurs because excluded DNS constraints are not correctly enforced when applied to wildcard DNS Subject Alternative Names (SANs) if the case of the wildcard SAN differs from that of the excluded DNS constraint.
This means that a certificate with a wildcard DNS name like "*.example.com" may not properly enforce an excluded DNS constraint such as "EXAMPLE.COM" due to case mismatch during validation.
The vulnerability affects the validation of otherwise trusted certificate chains issued by a root Certificate Authority (CA) present in the VerifyOptions.Roots CertPool or the system certificate pool.
This flaw resides in the Certificate.Verify function and was fixed in Go version 1.26.2.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a certificate chain that should be excluded due to DNS constraints to be incorrectly validated as trusted.
Specifically, if a wildcard DNS SAN in a certificate uses a different case than the excluded DNS constraint, the constraint may not be enforced, potentially allowing unauthorized or malicious certificates to be accepted.
This could lead to security risks such as man-in-the-middle attacks or unauthorized access if your application relies on Go's crypto/x509 package for certificate validation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Go programming language's crypto/x509 package during certificate chain verification involving excluded DNS constraints and wildcard DNS SANs with case differences.
To detect this vulnerability on your system, you should first identify if you are running a vulnerable Go version (from 1.26.0-0 up to but not including 1.26.2).
You can check your Go version by running the command: `go version`.
To detect if your applications are affected, you may need to audit or test certificate chain validations that involve excluded DNS constraints and wildcard DNS SANs with differing case sensitivity.
There are no specific commands provided in the resources for scanning network traffic or system logs for this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Go programming language to version 1.26.2 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, consider reviewing and restricting the use of certificate chains that include excluded DNS constraints and wildcard DNS SANs with case differences until the fix can be applied.
Additionally, monitor for updates from the Go project and apply patches as soon as they become available.