GO-2026-5037

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5037

Import Source

https://vuln.go.dev/ID/GO-2026-5037.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2026-5037

Aliases

CVE-2026-27145

Published

2026-06-02T21:39:47Z

Modified

2026-06-02T22:00:13.023388457Z

Summary

Inefficient candidate hostname parsing in crypto/x509

Details

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-5037"
}

References

Credits

- Jakub Ciolek - https://ciolek.dev/

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.11

Introduced

1.26.0-0

Fixed

1.26.4

Ecosystem specific

{
    "imports": [
        {
            "path": "crypto/x509",
            "symbols": [
                "Certificate.Verify",
                "Certificate.VerifyHostname",
                "HostnameError.Error",
                "matchHostnames"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5037.json"