Privilege Escalation Vulnerability in Golang IDNA Package
CVE-2026-39821

Currently unrated

Key Information:

Vendor: Golang.org/x/net
Status: Golang.org/x/net/idna
Vendor: CVE Published:; 22 May 2026

🔔 Create Golang.org/x/net Vulnerability Alert

What is CVE-2026-39821?

The ToASCII and ToUnicode functions in Golang's IDNA package fail to properly handle Punycode-encoded labels, allowing for the erroneous acceptance of labels that should trigger errors. This flaw can lead to unintended privilege escalation by accepting input like 'xn--example-.com' and incorrectly processing it as 'example.com', which may bypass privilege checks and grant unauthorized access. Developers using this package should reassess their privilege validation mechanisms to ensure they are not vulnerable to this issue.

Affected Version(s)

golang.org/x/net/idna 0 < 0.55.0

References

https://go.dev/cl/767220

https://go.dev/issue/78760

https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

KC1zs4 (https://github.com/KC1zs4)

CVE-2026-39821 Data

JSON