Skip to main content

Go CVE-2025-68121

CRITICAL
Improper Certificate Validation (CWE-295)
2026-02-05 security@golang.org
Information Disclosure Go
Critical
Disputed · 10.0 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.4 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 29, 2026 - 14:38 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
PoC Detected
Feb 20, 2026 - 17:25 vuln.today
Public exploit code
Patch released
Feb 20, 2026 - 17:25 nvd
Patch available
CVE Published
Feb 05, 2026 - 18:16 nvd
CRITICAL 10.0

DescriptionCVE.org

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

AnalysisAI

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

Technical ContextAI

CWE-295 in Go crypto/tls. When a TLS Config's ClientCAs or RootCAs fields are mutated after initial creation but before session resumption, the resumed session uses the mutated trust store rather than the original, bypassing intended certificate validation.

RemediationAI

Apply Go patch. Never mutate Config.ClientCAs/RootCAs after creation — create new Config objects instead. PoC available for testing.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.7 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.7 Image SL-Micro Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.5 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.6 Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.2 Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.35 Affected

Share

CVE-2025-68121 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy