Zero Day MonitorZDM

← Back to list

5.3

CVE-2025-61730PATCHED

golang · go

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages m

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected Products

Vendor	Product	Versions
golang	go	< 1.24.12, < 1.25.6

References

https://go.dev/cl/724120(Patch)
https://go.dev/issue/76443(Patch)
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc(Release Notes)
https://pkg.go.dev/vuln/GO-2026-4340(Vendor Advisory)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.24.121.25.6

PublishedJan 28, 2026

Last enriched9h ago

Trending Score0

Source articles0

Independent0

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2025-68121

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed

HIGHCVE-2025-61732

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

HIGHCVE-2026-34828

listmonk's active sessions remain valid after password reset and password change

HIGHCVE-2025-61731

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides

MEDIUMCVE-2025-61728

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructe

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Jan 28, 2026

Patch Available

Feb 3, 2026

Discovered by ZDM

Apr 1, 2026