When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Vendor | Product | Versions |
|---|---|---|
| go standard library | crypto/x509 | 1.26.0-0, 1.26.1 |
Updated severity to CRITICAL, added affected version 1.26.1, and noted that the vulnerability is actively exploited.
Initial creation
