During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages m

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected Products

Vendor	Product	Versions
golang	go	< 1.24.12, < 1.25.6

References

https://go.dev/cl/724120(Patch)
https://go.dev/issue/76443(Patch)
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc(Release Notes)
https://pkg.go.dev/vuln/GO-2026-4340(Vendor Advisory)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.24.121.25.6

PublishedJan 28, 2026

Last enriched11h ago

Trending Score0

Source articles0

Independent0

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages m

Description

Affected Products

References

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline