Vulnerability in Go's TLS Implementation Affects Encrypted Client Hello Communication
CVE-2026-42505

Currently unrated

Key Information:

Vendor
CVE Published:
8 July 2026

What is CVE-2026-42505?

A vulnerability exists in the TLS implementation of Go, where handshakes utilizing Encrypted Client Hello can be de-anonymized by passive network observers. This occurs due to the exposure of pre-shared key identities within the unencrypted Client Hello message, potentially compromising user privacy and enabling targeted attacks. Effective mitigation strategies should be employed to protect users from this vulnerability in their communications.

Affected Version(s)

crypto/tls 0 < 1.25.12

crypto/tls 1.26.0-0 < 1.26.5

crypto/tls 1.27.0-0 < 1.27.0-rc.2

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Coia Prant (github.com/rbqvq)
.