CVE-2026-27138

NameCVE-2026-27138
DescriptionCertificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4fixed
golang-1.19 (PTS)bookworm1.19.8-2fixed
golang-1.24 (PTS)trixie1.24.4-1fixed
forky, sid1.24.13-2fixed
golang-1.25 (PTS)forky, sid1.25.8-1fixed
golang-1.26 (PTS)forky, sid1.26.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.15source(unstable)(not affected)
golang-1.19source(unstable)(not affected)
golang-1.24source(unstable)(not affected)
golang-1.25source(unstable)(not affected)
golang-1.26source(unstable)1.26.1-1

Notes

- golang-1.25 <not-affected> (Vulnerable code not present)
- golang-1.24 <not-affected> (Vulnerable code not present)
- golang-1.19 <not-affected> (Vulnerable code not present)
- golang-1.15 <not-affected> (Vulnerable code not present)
https://github.com/golang/go/issues/77953
Fixed by: https://github.com/golang/go/commit/e792d6aa952dbfdd3e8eac6f7abc3efd9df09030 (go1.26.1)
Search for package or bug name: Reporting problems