CVE-2026-27145
Awaiting Analysis Awaiting Analysis - Queue

Inefficient Hostname Verification in Go x509 Certificate

Vulnerability report for CVE-2026-27145, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-02

Last updated on: 2026-07-09

Assigner: Go Project

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-02
Last Modified
2026-07-09
Generated
2026-07-14
AI Q&A
2026-06-03
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
golang go *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-606 The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability involves the function (*x509.Certificate).VerifyHostname, which previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused the function strings.Split(host, ".") to be executed repeatedly on the same input hostname.

When there is a large DNS SAN list, the verification cost scales quadratically based on the number of SAN entries multiplied by the hostname's label count. This means the process becomes significantly slower as the SAN list grows.

Because x509.Verify validates hostnames before building the certificate chain, this overhead occurs even for untrusted certificates.

Impact Analysis

This vulnerability can cause performance degradation when verifying certificates that have a large number of DNS SAN entries.

The verification process may become significantly slower, potentially leading to increased resource consumption and delays in applications that rely on x509 certificate hostname verification.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart