Medium severity5.9NVD Advisory· Published Mar 6, 2026· Updated Apr 21, 2026

CVE-2026-27138

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Affected products

Golang/Go
cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

pkg.go.dev/vuln/GO-2026-4600nvdVendor Advisory
go.dev/cl/752183nvdMailing List
go.dev/issue/77953nvdIssue Tracking
groups.google.com/g/golang-announce/c/EdhZqrQ98hknvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000