CVE-2025-68121CRITICAL 10.0EPSS p50.6%

CVE-2025-68121CVE-2025-68121

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.77% probability of exploitation · percentile 50.6% · 2026-06-19T12:03:05Z
Published2026-02-05
Last modified2026-04-29

Underlying weaknesses· 1

CWE-295

References

  1. https://go.dev/cl/737700
  2. https://go.dev/issue/77217
  3. https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
  4. https://pkg.go.dev/vuln/GO-2026-4337

1

TypeTargetConfidenceTier
WeaknessImproper Certificate Validationcwe-2950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-9293
CVE
CVE-2026-6899
CVE
CVE-2026-9758
CVE
CVE-2026-42508
CVE
CVE-2026-42011
CVE
CVE-2025-59461
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.