Skip to main content

Crypto X509 CVE-2026-33810

| EUVDEUVD-2026-20024 HIGH
Improper Certificate Validation (CWE-295)
2026-04-08 Go
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
8.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

8
Analysis Updated
Apr 19, 2026 - 23:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 20:52 vuln.today
cvss_changed
CVSS changed
Apr 17, 2026 - 20:52 NVD
7.5 (HIGH) 8.2 (HIGH)
Analysis Generated
Apr 15, 2026 - 12:25 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
7.5 (HIGH)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20024
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionNVD

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

AnalysisAI

Certificate validation bypass in Go's crypto/x509 library (versions 1.26.0-1.26.1) allows remote attackers to circumvent DNS name constraints through case-sensitivity mismatches in wildcard Subject Alternative Names. Attackers with certificates from trusted CAs can bypass intended domain restrictions and impersonate constrained subdomains, achieving unauthorized confidentiality access with limited integrity impact. Vendor-released patch available (Go 1.26.2). EPSS score is 0.01% (percentile 0%), indicating very low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

The crypto/x509 package in Go's standard library implements X.509 certificate validation, including name constraint enforcement per RFC 5280. Name constraints allow certificate authorities to restrict which domain names a subordinate CA or end-entity certificate can validate for, creating trust boundaries within PKI hierarchies. This vulnerability (CWE-295: Improper Certificate Validation) stems from case-sensitivity handling in constraint matching logic. When a certificate chain includes excluded DNS name constraints (e.g., '.restricted.example.com'), the validation code fails to properly normalize case when comparing against wildcard SANs (e.g., '*.Restricted.Example.com' vs '*.restricted.example.com'). The flaw specifically affects the VerifyOptions.Roots CertPool validation path and system certificate pool validation. According to EUVD-2026-20024, crypto/x509 versions 1.26.0 and 1.26.1 are affected. The issue was addressed in Go changelist 763763 (go.dev/cl/763763) and tracked as issue 78332 in the Go project.

RemediationAI

Upgrade to Go version 1.26.2 or later, which contains the fix from changelist https://go.dev/cl/763763. Organizations should rebuild and redeploy all applications compiled with Go 1.26.0 or 1.26.1 that perform certificate validation. The official Go security announcement is available at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU and vulnerability details at https://pkg.go.dev/vuln/GO-2026-4866. For environments unable to immediately upgrade, potential compensating controls include implementing additional application-layer domain validation that normalizes DNS names to lowercase before comparison, or restricting trust to root CAs that do not issue subordinate certificates with name constraints (though this eliminates the intended security boundary). Note that the second workaround reduces defense-in-depth by removing name constraint protections. SUSE has released distribution-specific patches per SUSE-SU-2026:1320 (https://www.suse.com/support/update/SUSE-SU-2026:1320/) for SUSE Linux Enterprise environments using affected Go versions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

CVE-2026-33810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy