Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Feb 2, 2026

Handshake messages may be processed at the incorrect encryption level in crypto/tls

CVE-2025-61730

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected products

Golang/GoOSV
Range: go1.10beta1, go1.10beta2, go1.10rc1, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

go.dev/cl/724120mitre
go.dev/issue/76443mitre
groups.google.com/g/golang-announce/c/Vd2tYVM8eUcmitre
pkg.go.dev/vuln/GO-2026-4340mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000