Cyber Resilience

CVE-2026-33810

HighUpdated

Published: 08 April 2026

Published
08 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0026 17.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33810 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Golang Go. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33810 is a vulnerability in the Go programming language's certificate verification process, specifically within the crypto/x509 package. When verifying a certificate chain that includes excluded DNS constraints, these constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) that use a different case than the constraint. This issue only impacts validation of certificate chains that would otherwise be trusted, issued by root CAs present in the VerifyOptions.Roots CertPool or the system certificate pool. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-295 (Improper Certificate Validation). It was published on 2026-04-08.

Remote attackers require no privileges or user interaction to exploit this vulnerability over a network connection with low complexity. By presenting a malicious certificate chain from a trusted root CA, an attacker can bypass DNS constraints on wildcard SANs due to case insensitivity mishandling, leading to successful validation of an otherwise invalid certificate. This enables high-impact confidentiality violations, such as unauthorized access to encrypted communications, and low-impact integrity violations, potentially allowing limited tampering or impersonation in TLS contexts.

Advisories and patches for mitigation are detailed in official Go resources, including the fix commit at https://go.dev/cl/763763, the tracking issue at https://go.dev/issue/78332, the Golang announce mailing list at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU, the Go vulnerability database entry GO-2026-4866 at https://pkg.go.dev/vuln/GO-2026-4866, and an OSS-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/19/4. Security practitioners should update to a patched version of Go that incorporates the fix to ensure proper constraint enforcement during certificate chain validation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root…

more

CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

The vulnerability bypasses DNS name constraint enforcement in certificate validation, allowing acceptance of otherwise invalid certs from trusted roots. This directly facilitates Adversary-in-the-Middle attacks by enabling impersonation and unauthorized access to encrypted TLS communications.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68121Same product: Golang Go
CVE-2026-27137Same product: Golang Go
CVE-2026-32281Same product: Golang Go
CVE-2025-61731Same product: Golang Go
CVE-2026-27144Same product: Golang Go
CVE-2025-61726Same product: Golang Go
CVE-2026-32283Same product: Golang Go
CVE-2026-25679Same product: Golang Go
CVE-2026-32280Same product: Golang Go
CVE-2025-61732Same product: Golang Go

Affected Assets

golang
go
1.26.0 — 1.26.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the flaw in Go's crypto/x509 certificate validation, preventing exploitation via patching to fixed versions.

prevent

Requires systems to validate PKI certificate chains to trusted roots with proper enforcement of constraints like excluded DNS names, directly countering the case-insensitive wildcard SAN bypass.

detect

Enables vulnerability scanning to identify CVE-2026-33810 in Go deployments, facilitating detection and subsequent remediation.

References