Bug 2480756 (CVE-2026-39821) - CVE-2026-39821 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
Summary: CVE-2026-39821 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privileg...
Keywords:
Status: NEW
Alias: CVE-2026-39821
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2487627
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-22 16:01 UTC by OSIDB Bzimport
Modified: 2026-07-01 19:21 UTC (History)
155 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:30853 0 None None None 2026-06-29 02:33:37 UTC
Red Hat Product Errata RHSA-2026:30854 0 None None None 2026-06-29 04:50:37 UTC
Red Hat Product Errata RHSA-2026:30855 0 None None None 2026-06-29 18:11:40 UTC
Red Hat Product Errata RHSA-2026:34357 0 None None None 2026-07-01 18:36:20 UTC
Red Hat Product Errata RHSA-2026:34359 0 None None None 2026-07-01 19:21:16 UTC

Description OSIDB Bzimport 2026-05-22 16:01:15 UTC
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Comment 1 errata-xmlrpc 2026-06-29 02:33:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:30853 https://access.redhat.com/errata/RHSA-2026:30853

Comment 2 errata-xmlrpc 2026-06-29 04:50:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:30854 https://access.redhat.com/errata/RHSA-2026:30854

Comment 3 errata-xmlrpc 2026-06-29 18:11:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:30855 https://access.redhat.com/errata/RHSA-2026:30855

Comment 4 errata-xmlrpc 2026-07-01 18:36:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:34357 https://access.redhat.com/errata/RHSA-2026:34357

Comment 5 errata-xmlrpc 2026-07-01 19:21:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:34359 https://access.redhat.com/errata/RHSA-2026:34359


Note You need to log in before you can comment on or make changes to this bug.