CVE-2026-27145
Inefficient Hostname Verification in Go x509 Certificate
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability involves the function (*x509.Certificate).VerifyHostname, which previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused the function strings.Split(host, ".") to be executed repeatedly on the same input hostname.
When there is a large DNS SAN list, the verification cost scales quadratically based on the number of SAN entries multiplied by the hostname's label count. This means the process becomes significantly slower as the SAN list grows.
Because x509.Verify validates hostnames before building the certificate chain, this overhead occurs even for untrusted certificates.
How can this vulnerability impact me? :
This vulnerability can cause performance degradation when verifying certificates that have a large number of DNS SAN entries.
The verification process may become significantly slower, potentially leading to increased resource consumption and delays in applications that rely on x509 certificate hostname verification.