CVE-2026-27145: Inefficient candidate hostname parsing in crypto/x509
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
Security readout for executives and security teams
Plain-English summary
A malicious or oversized certificate can make affected Go certificate hostname checks consume excessive CPU before trust is even established. The main business risk is service slowdown or denial of service in systems that process untrusted certificates over the network.
Executive priority
Treat as high priority for externally reachable Go services because exploitation can affect availability without authentication. Patch through official Go or OS vendor channels after confirming where affected builds are deployed.
Technical view
In crypto/x509, VerifyHostname repeatedly split the same candidate hostname while looping through DNS SAN entries. Large DNS SAN lists made work scale with SAN count times hostname label count, and x509.Verify performed this before chain building, including for untrusted certificates.
Likely exposure
Exposure is most likely in Go applications built with affected standard library versions that validate peer, uploaded, or otherwise attacker-controlled certificates and hostnames.
Exploitation context
The bundle does not report CISA KEV listing or confirmed active exploitation. The CVSS vector indicates remote, unauthenticated, low-complexity availability impact, but no exploit status is cited.
Researcher notes
The issue is algorithmic complexity rather than memory corruption. Key uncertainty is exact fixed-version coverage from the bundle; rely on Go advisory, Go announcement, and downstream vendor errata for definitive remediation mapping.
Mitigation direction
Check Go advisory GO-2026-5037 and Go announcement for fixed releases.
Update affected Go toolchains or rebuilt applications following vendor guidance.
Apply relevant Red Hat errata for packaged Go components where applicable.
Prioritize internet-facing services that validate certificates from untrusted peers.
Monitor CPU saturation and TLS or certificate-validation error spikes.
Validation and detection
Inventory services and containers built with affected Go standard library versions.
Identify code paths using x509.Verify, VerifyHostname, or TLS certificate validation.
Check SBOMs and build metadata for Go version provenance.
Review exposure to untrusted peer or uploaded certificates.
Confirm vendor advisories are applied in runtime images and packages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-407: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-407 · source CWE mapping
Inefficient Algorithmic Complexity
Inefficient Algorithmic Complexity represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Unchecked Input for Loop Condition represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.