When verifying a certificate chain containing excluded DNS constraints, these
constraints are not correctly applied to wildcard DNS SANs which use a different
case than the constraint.
For example, if a certificate contains the DNS name "*.example.com" and the
excluded DNS name "EXAMPLE.COM", the constraint will not be applied.
This only affects validation of otherwise trusted certificate chains, issued by
a root CA in the VerifyOptions.Roots CertPool, or in the system certificate
pool.
This issue only affects Go 1.26.
Thank you to Riyas from Saintgits College of Engineering, k1rnt, @1seal for reporting this issue.
This is CVE-2026-33810 and Go issue https://go.dev/issue/78332.
This is a PRIVATE issue for CVE-2026-33810, tracked in http://b/491458235 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3860.
When verifying a certificate chain containing excluded DNS constraints, these
constraints are not correctly applied to wildcard DNS SANs which use a different
case than the constraint.
For example, if a certificate contains the DNS name "*.example.com" and the
excluded DNS name "EXAMPLE.COM", the constraint will not be applied.
This only affects validation of otherwise trusted certificate chains, issued by
a root CA in the VerifyOptions.Roots CertPool, or in the system certificate
pool.
This issue only affects Go 1.26.
Thank you to Riyas from Saintgits College of Engineering, k1rnt, @1seal for reporting this issue.
This is CVE-2026-33810 and Go issue https://go.dev/issue/78332.
This is a PRIVATE issue for CVE-2026-33810, tracked in http://b/491458235 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3860.