Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

Description

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected Products

Vendor	Product	Versions
go	go	1.26.0-0, 1.26.1

References

Related News (2 articles)

Tier C

oss-security1d ago

Go 1.26.2 and Go 1.25.9 are released with 10 security fixes

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-33810 | crypto-x509 up to 1.26.1 on Go Certificate Chain certificate validation

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.26.2

PublishedApr 8, 2026

Last enriched2d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (2)

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated severity to CRITICAL, added affected version 1.26.1, and noted that the vulnerability is actively exploited.

severityaffectedVersionsactivelyExploitedtags

via VulDB

v12d ago

Initial creation