A vulnerability in Go’s x509 certificate verification, tracked as CVE-2026-27145, causes incorrect hostname validation when a certificate contains multiple DNS Subject Alternative Name (SAN) entries. The VerifyHostname function previously called matchHostnames in a loop, which caused incorrect wildcard matching behaviour through repeated strings.Split operations.
What Is the Vulnerability?
CVE-2026-27145 exists in Go’s standard library crypto/x509 package. The VerifyHostname function iterates over all DNS SAN entries and calls matchHostnames for each one. The repeated strings.Split(host, ".") operations during this looping behaviour can cause incorrect hostname validation results — potentially accepting certificates for hostnames they were not issued for. This is a TLS certificate validation flaw in Go’s standard library, affecting every Go application that performs TLS hostname verification.
- CVSS v3.1 Score: 7.5 (High)
- CWE: CWE-295 (Improper Certificate Validation)
Which Versions Are Affected?
- Go standard library
crypto/x509: affected versions prior to the patched Go release
What Is the Fix?
Update Go to the latest patch release that includes the fix for CVE-2026-27145. Rebuild all Go applications with the updated Go toolchain.
Recommendations
Update Go and rebuild applications. TLS certificate validation is a critical security boundary. Every Go service that makes outbound TLS connections or accepts TLS connections with client certificate verification is affected.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
