CVE-2026-42505
Go Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2026-42505 is an information disclosure vulnerability in Go's crypto/tls standard library package affecting the Encrypted Client Hello (ECH) implementation. TLS handshakes using ECH can be de-anonymized by a passive network observer because pre-shared key (PSK) identities are inadvertently disclosed in the unencrypted portion of the Client Hello message. The vulnerability affects Go versions prior to 1.25.12, 1.26.0–1.26.4 (fixed in 1.26.5), and the 1.27.0-rc.1 release candidate. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Red Hat Bugzilla).

Dettagli tecnici

The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data): the crypto/tls implementation incorrectly includes pre-shared key identities in the unencrypted outer Client Hello when performing an ECH handshake, rather than keeping them within the encrypted inner Client Hello. ECH is specifically designed to hide sensitive handshake metadata (such as the Server Name Indication) from passive observers, so leaking PSK identities in plaintext directly undermines this privacy guarantee. The attack vector is network-based, requires no authentication or user interaction, and can be performed passively by any observer with access to the network path between client and server. The fix is tracked at go.dev/cl/775960 and issue go.dev/issue/79282 (GitHub Advisory, pkg.go.dev).

Impatto

Successful exploitation allows a passive network observer to de-anonymize TLS handshakes that were intended to be privacy-protected by ECH, exposing pre-shared key identities that can be used to identify communicating parties or session resumption patterns. The impact is limited to confidentiality (low), with no integrity or availability consequences. This is particularly significant in privacy-sensitive deployments where ECH is used specifically to prevent traffic analysis, as the leaked PSK identities could enable user tracking or correlation of network sessions (GitHub Advisory, Red Hat Bugzilla).

Passaggi di sfruttamento

  1. Reconnaissance: Identify network traffic from clients using Go applications that implement TLS with Encrypted Client Hello (ECH) and session resumption (PSK), using passive network monitoring tools such as Wireshark or tcpdump.
  2. Traffic capture: Position on the network path between the Go TLS client and server (e.g., on a shared network segment, ISP level, or via a compromised router) to capture TLS handshake packets without active interference.
  3. Inspect unencrypted Client Hello: Parse the captured TLS ClientHello messages and examine the unencrypted outer Client Hello for the pre_shared_key extension, which should normally be absent or encrypted but is incorrectly present in affected Go versions.
  4. Extract PSK identities: Read the disclosed PSK identity values from the plaintext extension data to identify session resumption attempts, correlate sessions, or de-anonymize the communicating client (pkg.go.dev, GitHub Advisory).

Indicatori di compromesso

  • Network: TLS ClientHello packets from Go clients containing a pre_shared_key extension in the unencrypted outer Client Hello alongside an ECH extension — this combination should not appear in correctly implemented ECH handshakes.
  • Network: Repeated session resumption attempts (PSK-based handshakes) observable in plaintext network captures from Go-based clients on affected versions (pre-1.25.12 or 1.26.0–1.26.4).
  • Logs: Application or TLS debug logs showing ECH negotiation alongside PSK session resumption on Go versions prior to the patched releases.

Mitigazione e soluzioni alternative

The Go team has released patched versions addressing this vulnerability: Go 1.25.12 (for the 1.25.x branch) and Go 1.26.5 (for the 1.26.x branch); users of the 1.27.0-rc.1 release candidate should upgrade to 1.27.0-rc.2 or later. The fix is available via the Go change at go.dev/cl/775960. Organizations should update all Go toolchains and rebuild affected binaries; no configuration-based workaround is available other than disabling ECH or PSK session resumption if upgrading is not immediately possible. Red Hat and SUSE have issued advisories and updated packages for their distributions (Red Hat Bugzilla, pkg.go.dev, GitHub Advisory).

Reazioni della comunità

The Go security team disclosed the vulnerability via the golang-announce mailing list and published a detailed advisory on pkg.go.dev. Red Hat opened a Bugzilla tracking entry with medium severity and notified a broad list of product teams. SUSE issued security update announcements (SUSE-SU-2026:2817-1 and SUSE-SU-2026:3046-1) for their Go packages, and openSUSE published corresponding security announcements. Microsoft's MSRC also acknowledged the CVE. Community reaction has been measured given the moderate severity and passive-only exploitation requirement (golang-announce, Red Hat Bugzilla).

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato Go Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
NoJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
NoJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
NoJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
NoJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
NoJun 02, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità