{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33810", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.814Z", "datePublished": "2026-04-08T01:06:56.546Z", "dateUpdated": "2026-04-13T18:20:37.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.546Z"}, "title": "Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509", "descriptions": [{"lang": "en", "value": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "newDNSConstraints"}, {"name": "dnsConstraints.query"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295: Improper Certificate Validation"}]}], "references": [{"url": "https://go.dev/cl/763763"}, {"url": "https://go.dev/issue/78332"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4866"}], "credits": [{"lang": "en", "value": "Riyas from Saintgits College of Engineering"}, {"lang": "en", "value": "k1rnt"}, {"lang": "en", "value": "@1seal"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:48:57.879958Z", "id": "CVE-2026-33810", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:20:37.411Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33810", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:48:57.879958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:48:52.707Z"}}], "cna": {"title": "Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509", "credits": [{"lang": "en", "value": "Riyas from Saintgits College of Engineering"}, {"lang": "en", "value": "k1rnt"}, {"lang": "en", "value": "@1seal"}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "versions": [{"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.2", "versionType": "semver"}], "packageName": "crypto/x509", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "newDNSConstraints"}, {"name": "dnsConstraints.query"}, {"name": "Certificate.Verify"}]}], "references": [{"url": "https://go.dev/cl/763763"}, {"url": "https://go.dev/issue/78332"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4866"}], "descriptions": [{"lang": "en", "value": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.546Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33810", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:20:37.411Z", "dateReserved": "2026-03-23T20:35:32.814Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-08T01:06:56.546Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "39FE9BAF-55E9-43AA-B14E-239E7EF1D65D", "versionEndExcluding": "1.26.2", "versionStartIncluding": "1.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "id": "CVE-2026-33810", "lastModified": "2026-04-17T20:41:13.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T02:16:03.950", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/763763"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/78332"}, {"source": "security@golang.org", "tags": ["Release Notes", "Mailing List"], "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4866"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application", "id": "2456335", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-1289", "details": ["When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.", "A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains."], "name": "CVE-2026-33810", "package_state": [{"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Affected", "package_name": "rhai/assisted-installer-rhel9", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Affected", "package_name": "openshift-builds/openshift-builds-waiters-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "cert-manager/jetstack-cert-manager-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "build-of-trustee/trustee-rhel9-operator", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers/osc-monitor-rhel9", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:deployment_validator_operator", "fix_state": "Affected", "package_name": "dvo/deployment-validation-rhel8-operator", "product_name": "Deployment Validation Operator"}, {"cpe": "cpe:/a:redhat:ext_dns_optr:1", "fix_state": "Not affected", "package_name": "edo/external-dns-rhel8", "product_name": "ExternalDNS Operator"}, {"cpe": "cpe:/a:redhat:ext_dns_optr:1", "fix_state": "Not affected", "package_name": "edo/external-dns-rhel9", "product_name": "ExternalDNS Operator"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "external-secrets-operator/external-secrets-rhel9", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:workload_availability_far:0", "fix_state": "Affected", "package_name": "workload-availability/fence-agents-remediation-rhel8-operator", "product_name": "Fence Agents Remediation Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:gatekeeper:3", "fix_state": "Affected", "package_name": "gatekeeper/gatekeeper-rhel9-operator", "product_name": "Gatekeeper 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Not affected", "package_name": "lvms4/lvms-rhel9-operator", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Not affected", "package_name": "lvms4/topolvm-rhel8", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Not affected", "package_name": "lvms4/topolvm-rhel9", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:workload_availability_mdr:0", "fix_state": "Affected", "package_name": "workload-availability/machine-deletion-remediation-rhel8-operator", "product_name": "Machine Deletion Remediation Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:rhmt:1", "fix_state": "Affected", "package_name": "rhmtc/openshift-migration-registry-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:mirror_registry:1", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:mirror_registry:2", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift 2"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Will not fix", "package_name": "multicluster-engine/discovery-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-agent-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Affected", "package_name": "network-observability/network-observability-cli-rhel9", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_nhc:0", "fix_state": "Affected", "package_name": "workload-availability/node-healthcheck-rhel8-operator", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-velero-rhel9", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "helm", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-agent-base-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed/lightspeed-rhel9-operator", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "kn-workflow-plugin", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-plugin-event-sender-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/openshift-golang-builder", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/openshift-golang-builder", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:openshift_power_monitoring", "fix_state": "Affected", "package_name": "openshift-power-monitoring/kepler-rhel9", "product_name": "Power monitoring for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp2/3scale-rhel7-operator", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp2/3scale-rhel9-operator", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp26/3scale-operator", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp26/operator", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/subctl-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/receptor-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform/platform-operator-bundle", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway-proxy", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway-proxy-openssl30", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway-proxy-openssl32", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python3.11-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3.11-grpcio", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3.12-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3.12-grpcio", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3x-grpcio", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-grpcio", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "receptor", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "hawtio-operator-container", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:certifications:9", "fix_state": "Affected", "package_name": "redhat-certification-preflight", "product_name": "Red Hat Certification Program for Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Affected", "package_name": "rhcl-1/coredns-rhel9", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-rhel9-operator", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Affected", "package_name": "flightctl", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/a:redhat:edge_manager:1", "fix_state": "Affected", "package_name": "rhem/flightctl-ui-rhel9", "product_name": "Red Hat Edge Manager 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "butane", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "conmon", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "delve", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "go-fdo-client", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "go-fdo-server", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang-github-openprinting-ipp-usb", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gvisor-tap-vsock", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ignition", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "image-builder", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhc-worker-playbook", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/bootc-image-builder", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "trustee", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "yggdrasil", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "host-metering", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "rhc-worker-script", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/conmon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/runc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/skopeo", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/toolbox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "butane", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "conmon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gvisor-tap-vsock", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ignition", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "image-builder", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rhel9/bootc-image-builder", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "runc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "golang1.26", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:lightspeed_for_runtimes:1", "fix_state": "Affected", "package_name": "rh-lightspeed-runtimes/runtimes-inventory-rhel9-operator", "product_name": "Red Hat Lightspeed for Runtimes Operator"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-cli-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-rhel8-operator", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-rhel9-operator", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_cluster_manager_cli:1", "fix_state": "Affected", "package_name": "ocm-cli-clients/ocm-cli-rhel9", "product_name": "Red Hat OpenShift Cluster Manager CLI"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "butane", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "conmon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "conmon-rs", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "containernetworking-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "golang-github-prometheus-promu", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ignition", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "kata-containers", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "microshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/frr-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/openshift-golang-builder", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-sdn-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-kuryr", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ose-aws-ecr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ose-azure-acr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ose-gcp-gcr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "runc", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "skopeo", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/udi-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:devworkspace", "fix_state": "Affected", "package_name": "devworkspace/devworkspace-rhel9-operator", "product_name": "Red Hat OpenShift Dev Workspaces Operator"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:windows_machine_config", "fix_state": "Not affected", "package_name": "openshift4-wincw/windows-machine-config-rhel9-operator", "product_name": "Red Hat OpenShift for Windows Containers"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "cnv4/openshift-golang-builder", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/virt-api", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/virt-api-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/osp-director-agent", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "collectd-libpod-stats", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhosp-rhel9/osp-director-agent", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "golang-github-openstack-k8s-operators-os-diff", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "rhoso-operators/sg-core-rhel9", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-vmaas-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:service_interconnect:1", "fix_state": "Affected", "package_name": "skupper-cli", "product_name": "Red Hat Service Interconnect 1"}, {"cpe": "cpe:/a:redhat:service_interconnect:2", "fix_state": "Affected", "package_name": "skupper-cli", "product_name": "Red Hat Service Interconnect 2"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/ec-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:webterminal:1", "fix_state": "Affected", "package_name": "web-terminal/web-terminal-exec-rhel9", "product_name": "Red Hat Web Terminal"}, {"cpe": "cpe:/a:redhat:openshift_security_profiles_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-selinuxd-rhel8", "product_name": "Security Profiles Operator"}, {"cpe": "cpe:/a:redhat:stf:1.5", "fix_state": "Not affected", "package_name": "stf/sg-core-rhel9", "product_name": "Service Telemetry Framework 1.5"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "golang-github-danielqsj-kafka_exporter", "product_name": "streams for Apache Kafka 3"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:1", "fix_state": "Not affected", "package_name": "zero-trust-workload-identity-manager/spiffe-csi-driver-rhel9", "product_name": "Zero Trust Workload Identity Manager"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:0", "fix_state": "Not affected", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9", "product_name": "Zero Trust Workload Identity Manager - Tech Preview"}], "public_date": "2026-04-08T01:06:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33810\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33810\nhttps://go.dev/cl/763763\nhttps://go.dev/issue/78332\nhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\nhttps://pkg.go.dev/vuln/GO-2026-4866"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "crypto/x509", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-18T17:21:50.914074+00:00", "value": {"mitigation_remediation": ["Upgrade the Go runtime to a version that includes the crypto/x509 patch.", "Rebuild and redeploy all Go applications to use the updated binary.", "Ensure that any third\u2011party services or containers using older Go runtimes are also rebuilt to reference the patched Go binary."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All instances of the Go standard library\u2019s crypto/x509 package are affected. The flaw impacts any application that validates certificate chains against a root CA supplied via VerifyOptions.Roots CertPool or the system certificate pool. No specific version range was provided in the advisory, so any Go runtime using the vulnerable logic is at risk.", "description_and_impact": "The bug lies in Go's crypto/x509 implementation of name constraint enforcement during certificate chain verification. When a certificate chain includes excluded DNS constraints, the constraints are not correctly applied to wildcard DNS SAN entries that differ in case from the constraint. This logic flaw allows an otherwise trusted chain to satisfy the excludedSubtrees rule, effectively bypassing the intended restriction. The weakness maps to CWE\u20111289 \u2013 improper constraint application \u2013 and CWE\u2011295, and results in an attacker gaining unauthorized access by presenting a certificate chain that would normally be rejected.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1\u202f% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, yet it remains a concern for applications that rely on strict name constraint enforcement for internal security controls. Attackers can exploit this flaw by crafting a certificate chain that appears valid under Go\u2019s verification logic but actually violates name constraints, thereby gaining authentication bypass. The most likely attack vector is remote, through network connections that trigger TLS handshakes or other certificate evaluations by Go applications."}}}}, "created": "2026-04-08T19:44:24.085796+00:00", "updated": "2026-04-18T17:30:05.946261+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$crypto/x509"]}