CVE-2026-27138

low-risk

Published 2026-03-06

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

References (4)

https://go.dev/cl/752183

https://go.dev/issue/77953

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

https://pkg.go.dev/vuln/GO-2026-4600

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal