CVE-2026-42505:
cAdvisor Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-42505 is an information disclosure vulnerability in the Go standard library's crypto/tls package, where TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer due to pre-shared key (PSK) identities being leaked in the unencrypted outer Client Hello. It affects Go versions prior to 1.25.12, 1.26.0–1.26.5, and 1.27.0-0–1.27.0-rc.2. The vulnerability was published on July 8, 2026, and is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Go Vuln DB).
Técnicas
The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). When a TLS handshake employs Encrypted Client Hello — a privacy-enhancing extension designed to encrypt the inner ClientHello containing sensitive fields like the Server Name Indication (SNI) — the Go crypto/tls implementation inadvertently included pre-shared key (PSK) identities in the outer, unencrypted ClientHello message. A passive network observer positioned on the network path can read these PSK identities without any active interaction, effectively correlating encrypted sessions and de-anonymizing connections that ECH was intended to protect. No authentication or user interaction is required for exploitation (GitHub Advisory, Go Issue).
Impacto
The primary impact is a confidentiality breach: passive network observers can de-anonymize TLS connections that rely on Encrypted Client Hello for privacy, by reading exposed PSK identities from unencrypted handshake messages. There is no integrity or availability impact. The vulnerability undermines the privacy guarantees of ECH, potentially allowing traffic analysis, user tracking, or correlation of encrypted sessions across network paths — particularly relevant in environments where ECH is deployed specifically to prevent such surveillance (GitHub Advisory, Go Vuln DB).
Pasos de explotación
- Positioning: An attacker positions themselves as a passive observer on a network path between a Go-based TLS client (using ECH) and a server — for example, via ISP-level monitoring, a compromised router, or a network tap.
- Traffic capture: The attacker captures TLS handshake traffic using standard packet capture tools (e.g.,
tcpdump, Wireshark). - Inspect outer ClientHello: The attacker inspects the unencrypted outer ClientHello messages in the captured TLS handshakes, specifically looking for PSK identity fields that should have been protected by ECH.
- Extract PSK identities: The attacker reads the exposed pre-shared key identities from the plaintext handshake data, which can be used to correlate sessions, identify users or services, and de-anonymize connections that ECH was intended to protect (GitHub Advisory, Go Issue).
Mitigación y soluciones alternativas
Go has released patched versions addressing this vulnerability: Go 1.25.12, Go 1.26.5, and Go 1.27.0-rc.2 or later. Developers and operators should upgrade their Go toolchain to one of these versions and rebuild affected applications. The fix is tracked in the Go change list CL/775960. No configuration-based workaround is documented; upgrading is the recommended remediation. Organizations that do not use Encrypted Client Hello are not affected by this specific issue (GitHub Advisory, Golang Announce).
Reacciones de la comunidad
The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix through the standard Go security release process. The advisory was picked up by vulnerability tracking services including OSV, Tenable Nessus, and VulnDB shortly after publication. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Golang Announce, OSS-Sec).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado cAdvisor Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."