Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OpenSSL: Empty DNS name in certificate chain can crash verification
UBUNTU-CVE-2026-27138
Summary
A bug in OpenSSL can cause a program to crash when verifying an X.509 certificate chain. This can happen when the chain includes a certificate with an empty DNS name and another certificate with restrictions on which names are allowed. To prevent a crash, update to the latest version of OpenSSL.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | golang-1.24 | All versions | – |
| canonical | golang-1.25 | All versions | – |
Original title
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either ...
Original description
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
- https://ubuntu.com/security/CVE-2026-27138 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-27138 Third Party Advisory
- https://github.com/golang/go/issues/77953 Third Party Advisory
- https://go.dev/cl/752183 Third Party Advisory
- https://go.dev/issue/77953 Third Party Advisory
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk Third Party Advisory
- https://pkg.go.dev/vuln/GO-2026-4600 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026