LiveActive security incident?Get immediate response
CVE Record

CVE-2026-39821: Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

CriticalCVSS 9.6Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

A flaw in Go's widely used golang.org/x/net/idna package can cause hostname checks to be bypassed. A specially crafted domain name that looks distinct in one form can decode to a trusted name, tricking applications that make security decisions on the original text. In practice, that means a program that thinks it is blocking access could inadvertently grant it, which is why this is rated critical.

Executive priority

Treat as a high-priority patch cycle for any Go-based platform team. The bug is critical severity, silently converts blocked names into trusted ones, and already has vendor fixes and Red Hat advisories, so remediation is straightforward and delay is hard to justify.

Technical view

golang.org/x/net/idna's ToASCII and ToUnicode functions accept malformed Punycode labels (for example, "xn--example-") that decode to an ASCII-only label like "example.com" instead of returning an error. Programs that perform authorization or allow/deny checks on the ASCII form before later normalizing to Unicode can be tricked into permitting a name they intended to reject, enabling a privilege-escalation-class bypass in dependent Go services.

Likely exposure

Any Go application that imports golang.org/x/net/idna and uses ToASCII/ToUnicode for hostname normalization ahead of authorization, routing, SSO callbacks, SSRF allow-lists, or multi-tenant checks. Red Hat has issued multiple RHSA advisories, indicating downstream exposure across containerized platforms, OpenShift components, and other Go-based products that vendor this package.

Exploitation context

CVSS 3.1 base score is 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) with scope change, reflecting network-reachable, low-complexity abuse. CVE Program data shows KEV=false and no cited public reports of active exploitation as of the source bundle. The Go security team classifies it under GO-2026-5026; risk is elevated because the primitive is trivial once a vulnerable check pattern exists.

Researcher notes

The root cause is inadequate validation of Punycode labels that resolve to pure ASCII, mapped to CWE-1289 (improper validation of unsafe equivalence in input). Scope change in the CVSS vector reflects that the parser bug influences authorization decisions in the calling application. Impact is confidentiality and integrity, not availability. No public exploit code is cited in the source bundle, and KEV listing is absent as of the update date 2026-07-10.

Mitigation direction

  • Upgrade golang.org/x/net to the fixed version referenced in GO-2026-5026 and the Go announcement.
  • Rebuild and redeploy Go binaries that vendor golang.org/x/net/idna, including internal tools and sidecars.
  • Apply the relevant Red Hat RHSA errata to affected OpenShift, RHEL, and layered products.
  • Audit code that calls idna.ToASCII or idna.ToUnicode ahead of authorization or allow-list checks.
  • Where upgrade is delayed, reject hostnames whose Punycode form fails strict validation before authorization.
  • Consult vendor guidance for any third-party product that embeds golang.org/x/net/idna.

Validation and detection

  • Run govulncheck against builds to confirm GO-2026-5026 is no longer reported.
  • Inventory go.mod and go.sum across services for golang.org/x/net versions below the fixed release.
  • Query SBOMs and container images for vendored golang.org/x/net/idna copies.
  • Test that ToUnicode("xn--example-.com") now returns an error rather than "example.com".
  • Verify Red Hat errata (for example RHSA-2026:34789, RHSA-2026:36796) are applied on affected hosts.
  • Review logs for hostname-based access decisions that involve Punycode-encoded input.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1289: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Privilege behavior lookup

The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-39821 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.6 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
45Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.6CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N3.15.8CISA-ADP
8.2CVSS 3.1HighCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N1.85.8redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

9.6Critical
CVSS 3.1 vector shape for CVE-2026-39821Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
redhat-SADPgolang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
other:Red Hat severity ratingcvssV3_1
  • 2026-05-22T16:00:52.844Z: Reported to Red Hat.
  • 2026-05-22T15:01:21.462Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
golang.org/x/netgolang.org/x/net/idnagolang.org/x/net/idna, 0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1289 · source CWE mapping

Improper Validation of Unsafe Equivalence in Input

Improper Validation of Unsafe Equivalence in Input represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.