CVE-2026-42505
Go Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-42505 is an information disclosure vulnerability in Go's crypto/tls standard library package affecting the Encrypted Client Hello (ECH) implementation. TLS handshakes using ECH can be de-anonymized by a passive network observer because pre-shared key (PSK) identities are inadvertently disclosed in the unencrypted portion of the Client Hello message. The vulnerability affects Go versions prior to 1.25.12, 1.26.0–1.26.4 (fixed in 1.26.5), and the 1.27.0-rc.1 release candidate. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Red Hat Bugzilla).

Détails techniques

The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data): the crypto/tls implementation incorrectly includes pre-shared key identities in the unencrypted outer Client Hello when performing an ECH handshake, rather than keeping them within the encrypted inner Client Hello. ECH is specifically designed to hide sensitive handshake metadata (such as the Server Name Indication) from passive observers, so leaking PSK identities in plaintext directly undermines this privacy guarantee. The attack vector is network-based, requires no authentication or user interaction, and can be performed passively by any observer with access to the network path between client and server. The fix is tracked at go.dev/cl/775960 and issue go.dev/issue/79282 (GitHub Advisory, pkg.go.dev).

Impact

Successful exploitation allows a passive network observer to de-anonymize TLS handshakes that were intended to be privacy-protected by ECH, exposing pre-shared key identities that can be used to identify communicating parties or session resumption patterns. The impact is limited to confidentiality (low), with no integrity or availability consequences. This is particularly significant in privacy-sensitive deployments where ECH is used specifically to prevent traffic analysis, as the leaked PSK identities could enable user tracking or correlation of network sessions (GitHub Advisory, Red Hat Bugzilla).

Étapes d’exploitation

  1. Reconnaissance: Identify network traffic from clients using Go applications that implement TLS with Encrypted Client Hello (ECH) and session resumption (PSK), using passive network monitoring tools such as Wireshark or tcpdump.
  2. Traffic capture: Position on the network path between the Go TLS client and server (e.g., on a shared network segment, ISP level, or via a compromised router) to capture TLS handshake packets without active interference.
  3. Inspect unencrypted Client Hello: Parse the captured TLS ClientHello messages and examine the unencrypted outer Client Hello for the pre_shared_key extension, which should normally be absent or encrypted but is incorrectly present in affected Go versions.
  4. Extract PSK identities: Read the disclosed PSK identity values from the plaintext extension data to identify session resumption attempts, correlate sessions, or de-anonymize the communicating client (pkg.go.dev, GitHub Advisory).

Indicateurs de compromis

  • Network: TLS ClientHello packets from Go clients containing a pre_shared_key extension in the unencrypted outer Client Hello alongside an ECH extension — this combination should not appear in correctly implemented ECH handshakes.
  • Network: Repeated session resumption attempts (PSK-based handshakes) observable in plaintext network captures from Go-based clients on affected versions (pre-1.25.12 or 1.26.0–1.26.4).
  • Logs: Application or TLS debug logs showing ECH negotiation alongside PSK session resumption on Go versions prior to the patched releases.

Atténuation et solutions de contournement

The Go team has released patched versions addressing this vulnerability: Go 1.25.12 (for the 1.25.x branch) and Go 1.26.5 (for the 1.26.x branch); users of the 1.27.0-rc.1 release candidate should upgrade to 1.27.0-rc.2 or later. The fix is available via the Go change at go.dev/cl/775960. Organizations should update all Go toolchains and rebuild affected binaries; no configuration-based workaround is available other than disabling ECH or PSK session resumption if upgrading is not immediately possible. Red Hat and SUSE have issued advisories and updated packages for their distributions (Red Hat Bugzilla, pkg.go.dev, GitHub Advisory).

Réactions de la communauté

The Go security team disclosed the vulnerability via the golang-announce mailing list and published a detailed advisory on pkg.go.dev. Red Hat opened a Bugzilla tracking entry with medium severity and notified a broad list of product teams. SUSE issued security update announcements (SUSE-SU-2026:2817-1 and SUSE-SU-2026:3046-1) for their Go packages, and openSUSE published corresponding security announcements. Microsoft's MSRC also acknowledged the CVE. Community reaction has been measured given the moderate severity and passive-only exploitation requirement (golang-announce, Red Hat Bugzilla).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Go Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NonOuiJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NonOuiJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NonOuiJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NonOuiJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NonOuiJun 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités