Filtered by vendor Go Standard Library Subscriptions
Filtered by product Crypto/x509 Subscriptions

Search

Switch to Advanced Search (Beta)
Total 4 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-27145 1 Go Standard Library 1 Crypto/x509 2026-06-03 N/A
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
CVE-2026-33810 2 Go Standard Library, Golang 2 Crypto/x509, Go 2026-04-20 7.5 High
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
CVE-2026-32281 2 Go Standard Library, Golang 2 Crypto/x509, Go 2026-04-17 7.5 High
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
CVE-2026-32280 2 Go Standard Library, Golang 2 Crypto/x509, Go 2026-04-16 7.5 High
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.