Inefficient candidate hostname parsing in crypto/x509_CVE-2026-27145

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Basic Information

ID CVE-2026-27145

Source Go

Published Jun 2, 2026 at 22:01

Modified Jun 4, 2026 at 12:34

Affected Product

Vendor Go standard library

Product crypto/x509

Affected Versions Go standard library crypto/x509 0
Go standard library crypto/x509 1.26.0-0

References

{
    "lastseen": "",
    "description": "(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, \".\") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.",
    "published": "2026-06-02T22:01:36.954Z",
    "modified": "2026-06-04T12:34:53.136Z",
    "type": "cve",
    "title": "Inefficient candidate hostname parsing in crypto/x509",
    "source": "Go",
    "references": "https://go.dev/cl/783621\nhttps://go.dev/issue/79694\nhttps://groups.google.com/g/golang-announce/c/tKs3rmcBcKw\nhttps://pkg.go.dev/vuln/GO-2026-5037",
    "id": "CVE-2026-27145",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Go standard library crypto/x509 0\nGo standard library crypto/x509 1.26.0-0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "crypto/x509",
    "version": "0",
    "vendor": "Go standard library",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply