Skip to main content

Go crypto/tls CVE-2026-42505

| EUVDEUVD-2026-42317 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-08 Go GHSA-ff52-ph69-cf7x
5.3
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Passive network observation requires no privileges or user interaction; confidentiality impact is limited to PSK identity exposure (partial), with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 08, 2026 - 20:56 vuln.today
CVSS changed
Jul 08, 2026 - 20:22 NVD
5.3 (MEDIUM)
Patch available
Jul 08, 2026 - 18:02 EUVD
CVE Published
Jul 08, 2026 - 15:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.

AnalysisAI

Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attain passive network observation position
Delivery
Capture outbound TLS ClientHello packets from Go client
Exploit
Identify ECH handshakes with PSK extension present in outer ClientHello
Execution
Extract plaintext PSK identity values
Persist
Correlate PSK identities to prior sessions or known server identities
Impact
De-anonymize the ECH-protected connection

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent application-level conditions: (1) the Go application must explicitly enable Encrypted Client Hello (ECH) in its crypto/tls configuration - ECH is not enabled by default and requires deliberate opt-in; and (2) TLS session resumption via Pre-Shared Keys must be occurring, which requires a prior completed TLS session between the same client and server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately characterizes a network-accessible, low-complexity passive information disclosure with no integrity or availability component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A network-level adversary - such as a transit ISP, compromised network appliance, or on-path monitoring infrastructure - passively captures TLS ClientHello packets from a Go application that has ECH enabled with session resumption active. By reading PSK identity values present in the unencrypted outer ClientHello, the observer correlates resumption handshakes to prior sessions or to specific server identities, effectively identifying which server the client is connecting to despite ECH's privacy protections. …
Remediation The primary fix is to upgrade the Go toolchain to a patched release - Go 1.25.12, Go 1.26.5, or Go 1.27.0-rc.2 or later, depending on the release branch in use. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy