Primary

Context

Go Excluded DNS Constraint Vulnerability in Wildcard Domains

Vulnerability

Patched

A vulnerability exists in the Go programming language's certificate verification process, specifically in the crypto/x509 package. This issue arises when excluded DNS constraints are not properly applied to wildcard DNS Subject Alternative Names (SANs) that differ in case from the constraint. The vulnerability affects Go versions 1.26.0 prior to 1.26.2 and impacts the validation of trusted certificate chains from root Certificate Authorities (CAs) in the VerifyOptions.Roots CertPool or the system certificate pool.

Impact

The vulnerability can lead to incorrect certificate validation, allowing potentially untrusted certificates to be accepted in cases where DNS constraints are not properly enforced for wildcard domains.

Remediation

Users can upgrade to Go version 1.26.2, which addresses this vulnerability. Instructions for downloading this version are available on the Go website.

Added: Apr 8, 2026, 2:19 AM

Updated: Apr 8, 2026, 2:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

5.3

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

5.3

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go Excluded DNS Constraint Vulnerability in Wildcard Domains

Vulnerability

Impact

Remediation

Affected Products

golang

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating