Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

GO-2026-4866 · BIT-golang-2026-33810 · CVE-2026-33810

Published Apr 7, 2026 · Modified May 21, 2026

Description

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

References

FIX https://go.dev/cl/763763
REPORT https://go.dev/issue/78332
WEB https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes