CVE-2026-27145
Awaiting Analysis Awaiting Analysis - Queue
Inefficient Hostname Verification in Go x509 Certificate

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: Go Project

Description
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-27145
EUVD
EUVD-2026-34038
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang go *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability involves the function (*x509.Certificate).VerifyHostname, which previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused the function strings.Split(host, ".") to be executed repeatedly on the same input hostname.

When there is a large DNS SAN list, the verification cost scales quadratically based on the number of SAN entries multiplied by the hostname's label count. This means the process becomes significantly slower as the SAN list grows.

Because x509.Verify validates hostnames before building the certificate chain, this overhead occurs even for untrusted certificates.

Impact Analysis

This vulnerability can cause performance degradation when verifying certificates that have a large number of DNS SAN entries.

The verification process may become significantly slower, potentially leading to increased resource consumption and delays in applications that rely on x509 certificate hostname verification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart