Bug 2456335 (CVE-2026-33810)
| Summary: | CVE-2026-33810 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, akostadi, akoudelk, alcohan, alebedev, alizardo, amasferr, anjoseph, anpicker, ansmith, anthomas, bbrownin, bdettelb, bparees, chfoley, ckandaga, cmah, crizzo, dhanak, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, ggainey, ggrzybek, gparvin, hasun, ibolton, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jprabhak, jpretori, jraez, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, manissin, mbocek, mburns, mgarciac, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, parichar, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, syedriko, tasato, teagle, thason, tmalecek, tsedmik, veshanka, vimartin, vkarehfa, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2456853 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-08 02:01:32 UTC
This issue has been addressed in the following products: Cryostat 4 on RHEL 9 Via RHSA-2026:14391 https://access.redhat.com/errata/RHSA-2026:14391 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19135 https://access.redhat.com/errata/RHSA-2026:19135 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19144 https://access.redhat.com/errata/RHSA-2026:19144 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19353 https://access.redhat.com/errata/RHSA-2026:19353 This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:19719 https://access.redhat.com/errata/RHSA-2026:19719 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:19721 https://access.redhat.com/errata/RHSA-2026:19721 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:19720 https://access.redhat.com/errata/RHSA-2026:19720 |