Vulnerability in Go's TLS Implementation Affects Encrypted Client Hello Communication
CVE-2026-42505
Currently unrated
What is CVE-2026-42505?
A vulnerability exists in the TLS implementation of Go, where handshakes utilizing Encrypted Client Hello can be de-anonymized by passive network observers. This occurs due to the exposure of pre-shared key identities within the unencrypted Client Hello message, potentially compromising user privacy and enabling targeted attacks. Effective mitigation strategies should be employed to protect users from this vulnerability in their communications.
Affected Version(s)
crypto/tls 0 < 1.25.12
crypto/tls 1.26.0-0 < 1.26.5
crypto/tls 1.27.0-0 < 1.27.0-rc.2
