CVE-2026-27145

NameCVE-2026-27145
Description(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4vulnerable
golang-1.19 (PTS)bookworm1.19.8-2vulnerable
golang-1.24 (PTS)trixie1.24.4-1vulnerable
golang-1.25 (PTS)forky, sid1.25.10-2vulnerable
golang-1.26 (PTS)forky, sid1.26.3-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.15source(unstable)(unfixed)
golang-1.19source(unstable)(unfixed)
golang-1.24source(unstable)(unfixed)
golang-1.25source(unstable)(unfixed)
golang-1.26source(unstable)(unfixed)

Notes

https://github.com/golang/go/issues/79694
https://github.com/golang/go/commit/ce5a3e718cac440defae617dc6ed72a6e94cd0af (go1.26.4)
https://github.com/golang/go/commit/c5d18e479475e251c8593b1113fb53836117d5d3 (go1.25.11)
Search for package or bug name: Reporting problems