CVE-2026-33810HIGH 8.2EPSS p17.3%

CVE-2026-33810CVE-2026-33810

Description

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.26% probability of exploitation · percentile 17.3% · 2026-06-18T12:00:27Z
Published2026-04-08
Last modified2026-04-20

Underlying weaknesses· 1

CWE-295

References

  1. https://go.dev/cl/763763
  2. https://go.dev/issue/78332
  3. https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
  4. https://pkg.go.dev/vuln/GO-2026-4866
  5. http://www.openwall.com/lists/oss-security/2026/04/19/4
  6. http://www.openwall.com/lists/oss-security/2026/04/20/1

1

TypeTargetConfidenceTier
WeaknessImproper Certificate Validationcwe-2950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3833
CVE
CVE-2026-42011
CVE
CVE-2026-42012
CVE
CVE-2026-32992
CVE
CVE-2026-35563
CVE
CVE-2026-27145
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.