CVE-2025-68121

Critical CVSS: 10.0

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Vendor

Golang

Product

CWE

CWE-295

Yayın Tarihi

2026-02-05 18:16:10

Güncelleme

2026-02-20 17:25:50

Source Identifier

security@golang.org

KEV Date Added

Kategoriler

CWE-295 Go CRITICAL Golang 2026

Referanslar

https://go.dev/cl/737700 https://go.dev/issue/77217 https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://pkg.go.dev/vuln/GO-2026-4337

Benzer Kayıtlar

High

CVE-2025-61732

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

Low

CVE-2025-22873

It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For examp…

High

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercuria…

High

CVE-2025-61731

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of…

High

CVE-2025-61726

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query p…

Medium

CVE-2025-61728

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is open…