CVE-2026-39821

Name	CVE-2026-39821
Description	The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-golang-x-net (PTS)	bullseye	1:0.0+git20210119.5f4716e+dfsg-4	vulnerable
	bookworm	1:0.7.0+dfsg-1	vulnerable
	trixie	1:0.27.0-2	vulnerable
	forky, sid	1:0.56.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-golang-x-net	source	(unstable)	1:0.55.0-1

Notes

[bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://github.com/golang/go/issues/78760
https://github.com/golang/net/commit/8c4c965e028475082408749b50ed7a686df0d265 (v0.54.0)