High

Go crypto/x509 excluded DNS constraints wildcard case validation bypass

IdentifiersCVE-2026-33810CWE-295· Improper Certificate Validation

CVE-2026-33810 is a certificate validation flaw in Go 1.26's crypto/x509 component. When verifying a certificate chain that contains excluded DNS name constraints, the verification logic does not correctly apply those constraints to wildcard DNS Subject Alternative Names when the wildcard SAN uses different letter casing than the excluded constraint. As described in the provided content, a certificate containing a SAN such as "*.example.com" can evade an excluded DNS constraint such as "EXAMPLE.COM" because the constraint comparison is handled incorrectly for this wildcard-and-case combination. The issue affects validation of otherwise trusted certificate chains anchored by a root CA present in VerifyOptions.Roots or in the system certificate pool.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause incorrect acceptance of a certificate chain that should have been rejected under excluded DNS name constraints. In practice, this is a certificate validation bypass in which name constraints meant to prohibit issuance or acceptance for a DNS namespace are not enforced for certain wildcard SANs with case mismatches. This can undermine trust decisions made by applications relying on Go crypto/x509 for certificate verification, potentially allowing use of an otherwise trusted but policy-violating certificate for prohibited domains.

Mitigation

If you can’t patch tonight, do this now.

As an interim measure, avoid relying solely on the vulnerable excluded-DNS-constraint handling path in Go 1.26 for security decisions. Where feasible, restrict trust anchors to only those required, avoid accepting chains from unnecessary roots in VerifyOptions.Roots or the system trust store, and perform additional hostname or certificate policy validation in higher-level application logic if operationally possible. The definitive mitigation is to patch/upgrade, because the flaw is in certificate verification logic.

Remediation

Patch, then assume compromise.

Upgrade from vulnerable Go 1.26 builds to a fixed Go release containing the crypto/x509 correction for CVE-2026-33810. The provided content indicates the issue was addressed in the Go security releases following disclosure and references downstream fixes in vendor errata. Rebuild and redeploy applications statically linked against vulnerable Go standard library versions as appropriate for the environment, since Go applications commonly embed the affected library code.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GolangGoapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

bugzilla redhatNews

May 6, 2026

2456335 - (CVE-2026-33810) CVE-2026-33810 crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application

A certificate validation bypass vulnerability in Go's crypto/x509 library caused by incorrect application of excluded DNS constraints to wildcard DNS SANs with different casing.

bugzilla suseNews

Apr 28, 2026

1261662 - (CVE-2026-33810) VUL-0: CVE-2026-33810: go1.26: crypto/x509: excluded DNS constraints not properly applied to wildcard domains

A vulnerability in Go 1.26 crypto/x509 where excluded DNS constraints are not properly applied to wildcard domains.

go dev blogNews

Mar 27, 2026

crypto/x509: excluded DNS constraints not properly applied to wildcard domains · Issue #78332 · golang/go

A certificate chain validation flaw in Go 1.26 where excluded DNS constraints are not correctly enforced against wildcard DNS SANs when case differs, potentially allowing otherwise trusted certificate chains to bypass intended DNS constraint checks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33810

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33810

MITRE CWE · CWE-295

Improper Certificate Validation

Patch

go.dev/cl/763763

Vendor Advisory

pkg.go.dev/vuln/GO-2026-4866

Release Notes

groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Issue Tracking

go.dev/issue/78332

openwall.com

openwall.com/lists/oss-security/2026/04/19/4

openwall.com

openwall.com/lists/oss-security/2026/04/20/1