CVE-2026-27138

unknown

Published 2026-03-06 · Modified 2026-05-15

CVSS v3

—

CVSS v2

—

VIR risk

—

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-27138.html

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-27138

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`0`
debian	bookworm	fixed	`0`
debian	trixie	fixed	`0`
debian	forky	fixed	`0`
debian	sid	fixed	`0`
sles		affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	stdlib	`>=1.26.0-0,<1.26.1`	`1.26.1`

References

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://go.dev/issue/77953
https://go.dev/cl/752183
https://security-tracker.debian.org/tracker/CVE-2026-27138
https://www.suse.com/security/cve/CVE-2026-27138.html

Verify integrity in audit chain (admin only). AS-IS.