Detections
Analytics

CVE-2026-27145

high

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

References

https://pkg.go.dev/vuln/GO-2026-5037

https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw

https://go.dev/issue/79694

https://go.dev/cl/783621

Details

Source: Mitre, NVD

Published: 2026-06-02

Updated: 2026-06-02

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Severity: High