CVE-2026-33810
Published: 08 April 2026
Summary
CVE-2026-33810 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Golang Go. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the flaw in Go's crypto/x509 certificate validation, preventing exploitation via patching to fixed versions.
Requires systems to validate PKI certificate chains to trusted roots with proper enforcement of constraints like excluded DNS names, directly countering the case-insensitive wildcard SAN bypass.
Enables vulnerability scanning to identify CVE-2026-33810 in Go deployments, facilitating detection and subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses DNS name constraint enforcement in certificate validation, allowing acceptance of otherwise invalid certs from trusted roots. This directly facilitates Adversary-in-the-Middle attacks by enabling impersonation and unauthorized access to encrypted TLS communications.
NVD Description
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root…
more
CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Deeper analysisAI
CVE-2026-33810 is a vulnerability in the Go programming language's certificate verification process, specifically within the crypto/x509 package. When verifying a certificate chain that includes excluded DNS constraints, these constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) that use a different case than the constraint. This issue only impacts validation of certificate chains that would otherwise be trusted, issued by root CAs present in the VerifyOptions.Roots CertPool or the system certificate pool. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-295 (Improper Certificate Validation). It was published on 2026-04-08.
Remote attackers require no privileges or user interaction to exploit this vulnerability over a network connection with low complexity. By presenting a malicious certificate chain from a trusted root CA, an attacker can bypass DNS constraints on wildcard SANs due to case insensitivity mishandling, leading to successful validation of an otherwise invalid certificate. This enables high-impact confidentiality violations, such as unauthorized access to encrypted communications, and low-impact integrity violations, potentially allowing limited tampering or impersonation in TLS contexts.
Advisories and patches for mitigation are detailed in official Go resources, including the fix commit at https://go.dev/cl/763763, the tracking issue at https://go.dev/issue/78332, the Golang announce mailing list at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU, the Go vulnerability database entry GO-2026-4866 at https://pkg.go.dev/vuln/GO-2026-4866, and an OSS-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/19/4. Security practitioners should update to a patched version of Go that incorporates the fix to ensure proper constraint enforcement during certificate chain validation.
Details
- CWE(s)