When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:19353 advisory.

    Collector with the supported components for a Red Hat build of OpenTelemetry

    Security Fix(es):

    * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

    * google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to     improper HTTP/2 path validation (CVE-2026-33186)

    * github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted     JSON Web Encryption (JWE) object (CVE-2026-34986)

    * crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation     (CVE-2026-32281)

    * crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint     application (CVE-2026-33810)

    * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)

    * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages     (CVE-2026-32283)

    * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building     (CVE-2026-32280)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:19144 advisory.

    HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables      driverless support for USB devices capable of using IPP-over-USB protocol.

    Security Fix(es):

    * crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint     application (CVE-2026-33810)

    * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)

    * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages     (CVE-2026-32283)

    * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building     (CVE-2026-32280)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:19135 advisory.

    Collector with the supported components for a Red Hat build of OpenTelemetry

    Security Fix(es):

    * net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)

    * google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to     improper HTTP/2 path validation (CVE-2026-33186)

    * github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted     JSON Web Encryption (JWE) object (CVE-2026-34986)

    * crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation     (CVE-2026-32281)

    * crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint     application (CVE-2026-33810)

    * golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)

    * crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages     (CVE-2026-32283)

    * crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building     (CVE-2026-32280)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20703-1 advisory.

    Changes in coredns:

    - Update to version 1.14.3:
      * This release introduces Windows service support, along with full TSIG         verification across DoH, DoH3, QUIC, and gRPC transports, and improved         TSIG propagation and DoH request validation.
      * It also adds optional TLS for the metrics endpoint.
      * Performance and stability are improved through cache prefetching, QUIC         optimizations, and a new max_age option in the forward plugin.
      * Additional updates include enhanced SVCB/HTTPS support, improved zone         transfer behavior, and various DNSSEC, PROXY protocol, and concurrency         fixes.
      * The release is built with Go 1.26.2, which includes security         fixes addressing CVE-2026-32282, CVE-2026-32289, CVE-2026-33810,         CVE-2026-27144, CVE-2026-27143, CVE-2026-32288, CVE-2026-32283,         and CVE-2026-27140, and also includes fixes for CVE-2026-32936,         CVE-2026-33190, CVE-2026-33489, CVE-2026-32934, and CVE-2026-35579.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1580-1 advisory.

    - Update to go1.26.2 (bsc#1255111).
    - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653).
    - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654).
    - CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655).
    - CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656).
    - CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657).
    - CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658).
    - CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock     (bsc#1261659).
    - CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660).
    - CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661).
    - CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains     (bsc#1261662).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20571-1 advisory.

    - Update to version go1.26.2 (bsc#1255111).
    - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653).
    - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654).
    - CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655).
    - CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656).
    - CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657).
    - CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658).
    - CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock     (bsc#1261659).
    - CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660).
    - CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661).
    - CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains     (bsc#1261662).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1320-1 advisory.

    - Update to go1.26.2 (bsc#1255111).
    - CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653).
    - CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654).
    - CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655).
    - CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656).
    - CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657).
    - CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658).
    - CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock     (bsc#1261659).
    - CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660).
    - CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661).
    - CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains     (bsc#1261662).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Golang running on the remote host is 1.25.x prior to 1.25.9, or 1.26.x prior to 1.26.2. It is, therefore, affected by multiple vulnerabilities, including:

  - Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the     compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
    (CVE-2026-27143)

  - SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code     execution at build time due to trust layer bypass. (CVE-2026-27140)

  - The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion     prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to     memory corruption at runtime. (CVE-2026-27144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - When verifying a certificate chain containing excluded DNS constraints, these constraints are not     correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects     validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots     CertPool, or in the system certificate pool. (CVE-2026-33810)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
315499	RHEL 9 : opentelemetry-collector (RHSA-2026:19353)	Nessus	Red Hat Local Security Checks	high
315417	RHEL 10 : golang-github-openprinting-ipp-usb (RHSA-2026:19144)	Nessus	Red Hat Local Security Checks	high
315408	RHEL 10 : opentelemetry-collector (RHSA-2026:19135)	Nessus	Red Hat Local Security Checks	high
313705	openSUSE 16 Security Update : coredns (openSUSE-SU-2026:20703-1)	Nessus	SuSE Local Security Checks	high
310239	SUSE SLES15 Security Update : go1.26-openssl (SUSE-SU-2026:1580-1)	Nessus	SuSE Local Security Checks	critical
309134	openSUSE 16 Security Update : go1.26 (openSUSE-SU-2026:20571-1)	Nessus	SuSE Local Security Checks	critical
306493	SUSE SLED15 / SLES15 Security Update : go1.26 (SUSE-SU-2026:1320-1)	Nessus	SuSE Local Security Checks	critical
305686	Golang 1.25.x < 1.25.9 / 1.26.x < 1.26.2 Multiple Vulnerabilities	Nessus	Misc.	critical
305653	Linux Distros Unpatched Vulnerability : CVE-2026-33810	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33810

high

Tenable Plugins

high

high

high

high

critical

critical

critical

critical

high