CVE-2026-33810

Summary

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected Software

VendorProductVersion RangeStatus
Go standard librarycrypto/x5091.26.0-0 < 1.26.2affected

Weaknesses

  • CWE-295: Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application

Additional References

References