Certificate Chain Verification Issue in Go Programming Language
CVE-2026-33810

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-33810?

A vulnerability in the Go programming language arises when validating certificate chains that contain excluded DNS constraints. The issue manifests as incorrect application of these constraints to wildcard DNS Subject Alternative Names (SANs) when there is a case mismatch between the wildcard and the constraints. This flaw specifically affects the validation of otherwise trusted certificate chains, which are issued by a root Certificate Authority (CA) included in the specified CertPool or the system certificate pool.

Affected Version(s)

crypto/x509 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763763

https://go.dev/issue/78332

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Riyas from Saintgits College of Engineering

k1rnt

@1seal

CVE-2026-33810 Data

JSON