CVE-2026-27145

Published: Jun 2, 2026

Modified: Jun 4, 2026

PUBLISHED

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Vendor	Product	Versions
Go standard library	crypto/x509	affected `0 - < 1.25.11` affected `1.26.0-0 - < 1.26.4`

References

https://go.dev/cl/783621

https://go.dev/issue/79694

https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

https://pkg.go.dev/vuln/GO-2026-5037

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-27145

Description

Affected Products

References