CVE-2026-39821: Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Security readout for executives and security teams
Plain-English summary
A flaw in Go's widely used golang.org/x/net/idna package can cause hostname checks to be bypassed. A specially crafted domain name that looks distinct in one form can decode to a trusted name, tricking applications that make security decisions on the original text. In practice, that means a program that thinks it is blocking access could inadvertently grant it, which is why this is rated critical.
Executive priority
Treat as a high-priority patch cycle for any Go-based platform team. The bug is critical severity, silently converts blocked names into trusted ones, and already has vendor fixes and Red Hat advisories, so remediation is straightforward and delay is hard to justify.
Technical view
golang.org/x/net/idna's ToASCII and ToUnicode functions accept malformed Punycode labels (for example, "xn--example-") that decode to an ASCII-only label like "example.com" instead of returning an error. Programs that perform authorization or allow/deny checks on the ASCII form before later normalizing to Unicode can be tricked into permitting a name they intended to reject, enabling a privilege-escalation-class bypass in dependent Go services.
Likely exposure
Any Go application that imports golang.org/x/net/idna and uses ToASCII/ToUnicode for hostname normalization ahead of authorization, routing, SSO callbacks, SSRF allow-lists, or multi-tenant checks. Red Hat has issued multiple RHSA advisories, indicating downstream exposure across containerized platforms, OpenShift components, and other Go-based products that vendor this package.
Exploitation context
CVSS 3.1 base score is 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) with scope change, reflecting network-reachable, low-complexity abuse. CVE Program data shows KEV=false and no cited public reports of active exploitation as of the source bundle. The Go security team classifies it under GO-2026-5026; risk is elevated because the primitive is trivial once a vulnerable check pattern exists.
Researcher notes
The root cause is inadequate validation of Punycode labels that resolve to pure ASCII, mapped to CWE-1289 (improper validation of unsafe equivalence in input). Scope change in the CVSS vector reflects that the parser bug influences authorization decisions in the calling application. Impact is confidentiality and integrity, not availability. No public exploit code is cited in the source bundle, and KEV listing is absent as of the update date 2026-07-10.
Mitigation direction
Upgrade golang.org/x/net to the fixed version referenced in GO-2026-5026 and the Go announcement.
Rebuild and redeploy Go binaries that vendor golang.org/x/net/idna, including internal tools and sidecars.
Apply the relevant Red Hat RHSA errata to affected OpenShift, RHEL, and layered products.
Audit code that calls idna.ToASCII or idna.ToUnicode ahead of authorization or allow-list checks.
Where upgrade is delayed, reject hostnames whose Punycode form fails strict validation before authorization.
Consult vendor guidance for any third-party product that embeds golang.org/x/net/idna.
Validation and detection
Run govulncheck against builds to confirm GO-2026-5026 is no longer reported.
Inventory go.mod and go.sum across services for golang.org/x/net versions below the fixed release.
Query SBOMs and container images for vendored golang.org/x/net/idna copies.
Test that ToUnicode("xn--example-.com") now returns an error rather than "example.com".
Verify Red Hat errata (for example RHSA-2026:34789, RHSA-2026:36796) are applied on affected hosts.
Review logs for hostname-based access decisions that involve Punycode-encoded input.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1289: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
45Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1289 · source CWE mapping
Improper Validation of Unsafe Equivalence in Input
Improper Validation of Unsafe Equivalence in Input represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.