Detections
Analytics

Golang 1.26.x < 1.26.1 Multiple Vulnerabilities

medium Nessus Plugin ID 301251

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Golang running on the remote host is prior to 1.26.1. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory.

 - When verifying a certificate chain which contains a certificate containing multiple email address constraints (composed of the full email address) which share common local portions (the portion of the address before the '@' character) but different domain portions (the portion of the address after the '@' character), these constraints will not be properly applied, and only the last constraint will be considered. This can allow certificates in the chain containing email addresses which are either not permitted or excluded by the relevant constraints to be returned by calls to Certificate.Verify. Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing either not permitted or excluded email addresses. (CVE-2026-27137)

 - Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS. Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing malformed DNS names. (CVE-2026-27138)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Golang Go version 1.26.1 or later.

See Also

https://github.com/golang/go/issues/77952

https://github.com/golang/go/issues/77953

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Plugin Details

Severity: Medium

ID: 301251

File Name: golang_1_26_1.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 3/6/2026

Updated: 3/6/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

VPR

Risk Factor: Medium

Score: 4.4

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Vulnerability Information

CPE: cpe:/a:golang:go

Required KB Items: installed_sw/Golang Go Programming Language

Patch Publication Date: 3/5/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-27137, CVE-2026-27138