CVE-2026-27145: Go x509 Certificate Hostname Verification Denial of Service
Go's x509 certificate hostname verification process had a performance flaw where it unnecessarily repeated the same string-splitting operation for each DNS Subject Alternative Name (SAN) entry on a certificate. When a certificate listed many DNS SANs, verification became progressively slower—scaling with both the number of SANs and the complexity of the hostname being checked. The flaw affected all certificate verification, including checks on untrusted certificates, making it possible for an attacker to craft a certificate with an extremely large SAN list that would cause significant CPU overhead during validation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
- Weaknesses (CWE)
- CWE-606
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-07-06
NVD description (verbatim)
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
11 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The x509.Certificate.VerifyHostname function in Go's crypto/x509 package called matchHostnames repeatedly in a loop over all DNS SAN entries without caching intermediate results. Each iteration performed strings.Split(host, ".") on the same hostname string, resulting in O(n*m) complexity where n is the number of SAN entries and m is the number of labels in the hostname. This quadratic behavior occurred during x509.Verify before certificate chain validation, meaning even certificates that would ultimately fail trust validation incurred the full hostname-verification overhead. An attacker controlling a certificate could populate its SAN list with thousands of entries, forcing any client performing verification to perform exponentially more work.
Business impact
Deployments relying on Go's x509 verification—including TLS clients, API servers, and container orchestration platforms—could experience degraded performance or denial-of-service conditions when presented with maliciously crafted certificates containing large SAN lists. Services that validate many certificates in parallel or under high load are most vulnerable. The impact is not on data confidentiality or integrity but on service availability, making this a reliability and operational concern rather than a direct data breach risk.
Affected systems
Any application using Go's crypto/x509 package for certificate hostname verification is affected. This includes Go web servers, TLS clients, Kubernetes control planes, Docker runtimes, and any custom tooling that validates X.509 certificates. The vulnerability is inherent to the Go standard library and does not depend on specific vendor products or versions—all versions of Go containing the vulnerable code path are susceptible.
Exploitability
Exploitation requires an attacker to control or influence the presentation of an X.509 certificate during a TLS handshake or certificate validation operation. This is practical in man-in-the-middle scenarios, compromised CAs, or self-signed certificate deployments. The attack does not require user interaction and can be automated. However, the severity is capped by the fact that the impact is computational exhaustion rather than authentication bypass or data exposure. Practical impact depends on certificate validation frequency and the sensitivity of services to latency increases.
Remediation
Apply a Go security update that optimizes x509.VerifyHostname to cache the result of strings.Split or eliminate redundant operations. Verify the Go release notes and security advisories for the specific version addressing CWE-606 performance issues in certificate verification. Organizations should patch Go runtimes across all infrastructure, including development environments, CI/CD systems, and production deployments. No configuration workaround exists; code-level remediation is required.
Patch guidance
Consult the official Go security advisory and release notes to identify the patched version that addresses this hostname verification performance issue. Update the Go toolchain on development machines, build systems, and container base images. For applications compiled with an older Go version, recompilation against a patched Go release is necessary. Verify patch application by confirming the Go version in deployed binaries and runtimes. Test TLS certificate handling after patching to ensure no regressions in validation behavior.
Detection guidance
Monitor for CPU spikes or latency increases during TLS handshakes, particularly if correlated with unusual certificate presentations. Log hostname verification latencies if instrumentation is available in the application layer. Intrusion detection systems may flag attempts to present certificates with extremely large SAN lists (e.g., >1000 entries) as anomalous. Review access logs for repeated failed certificate validations that could indicate active exploitation. No specific indicators of compromise exist unless the attack results in observable service degradation.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The CVSS score of 6.5 (Medium) reflects the asymmetric risk: no confidentiality breach, limited integrity impact, but meaningful availability impact. Unlike authentication bypasses, this flaw does not enable unauthorized access. However, it can be weaponized to degrade critical services, making it relevant for infrastructure teams managing high-throughput TLS endpoints. Organizations handling sensitive or high-availability workloads should prioritize patching within their standard security update windows. The fact that it is not on the CISA KEV catalog suggests real-world exploitation remains limited.
Risk score, explained
The CVSS 6.5 Medium score reflects: (1) Network attack vector—no local access required; (2) High complexity—requires attacker control of a certificate; (3) No privilege requirements; (4) No impact on confidentiality; (5) Low impact on integrity; (6) High impact on availability through CPU exhaustion. The score penalizes the attack for requiring certificate control while acknowledging the availability risk. The absence of confidentiality or integrity impact prevents a higher severity rating, and the non-exploited status (not in CISA KEV) suggests this is theoretical rather than actively weaponized.
Frequently asked questions
Can this vulnerability lead to unauthorized access or data theft?
No. The flaw affects the performance of certificate hostname verification, not the correctness of trust decisions. It does not enable bypassing authentication, accessing encrypted data, or breaking TLS. The impact is limited to denial-of-service through computational exhaustion.
Do I need to patch if my Go application does not handle untrusted certificates?
Yes. The vulnerability occurs during verification of all certificates, including those that will ultimately fail trust validation. An attacker can induce verification overhead even if the certificate would be rejected as untrusted. All applications using x509.VerifyHostname should patch.
How can I tell if my service is being attacked using this vulnerability?
Watch for unexpected increases in CPU usage during TLS connection establishment, or increased latency in certificate validation. Unusual certificate presentations with very large SAN lists (thousands of entries) are a red flag. Enable verbose logging in your TLS stack if available to confirm the source of latency.
Is there a workaround if I cannot patch immediately?
No configuration-level workaround exists. You must update to a patched version of Go. In the interim, rate-limiting incoming TLS connections or isolating certificate validation to a resource-constrained process may reduce blast radius, but these are mitigations, not fixes.
This analysis is based on publicly available information and the CVE record as of the publication date. Vendor advisories and patch availability may evolve; verify current guidance directly with the Go project security team and your organization's security operations center. No exploit code or weaponized proof-of-concept is provided. This assessment is for informational purposes and should be tailored to your specific environment and risk profile. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability