
PEACH
Un framework di isolamento del tenant
CVE-2026-42505 is an information disclosure vulnerability in Go's crypto/tls standard library package affecting the Encrypted Client Hello (ECH) implementation. TLS handshakes using ECH can be de-anonymized by a passive network observer because pre-shared key (PSK) identities are inadvertently disclosed in the unencrypted portion of the Client Hello message. The vulnerability affects Go versions prior to 1.25.12, 1.26.0–1.26.4 (fixed in 1.26.5), and the 1.27.0-rc.1 release candidate. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Red Hat Bugzilla).
The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data): the crypto/tls implementation incorrectly includes pre-shared key identities in the unencrypted outer Client Hello when performing an ECH handshake, rather than keeping them within the encrypted inner Client Hello. ECH is specifically designed to hide sensitive handshake metadata (such as the Server Name Indication) from passive observers, so leaking PSK identities in plaintext directly undermines this privacy guarantee. The attack vector is network-based, requires no authentication or user interaction, and can be performed passively by any observer with access to the network path between client and server. The fix is tracked at go.dev/cl/775960 and issue go.dev/issue/79282 (GitHub Advisory, pkg.go.dev).
Successful exploitation allows a passive network observer to de-anonymize TLS handshakes that were intended to be privacy-protected by ECH, exposing pre-shared key identities that can be used to identify communicating parties or session resumption patterns. The impact is limited to confidentiality (low), with no integrity or availability consequences. This is particularly significant in privacy-sensitive deployments where ECH is used specifically to prevent traffic analysis, as the leaked PSK identities could enable user tracking or correlation of network sessions (GitHub Advisory, Red Hat Bugzilla).
pre_shared_key extension, which should normally be absent or encrypted but is incorrectly present in affected Go versions.pre_shared_key extension in the unencrypted outer Client Hello alongside an ECH extension — this combination should not appear in correctly implemented ECH handshakes.The Go team has released patched versions addressing this vulnerability: Go 1.25.12 (for the 1.25.x branch) and Go 1.26.5 (for the 1.26.x branch); users of the 1.27.0-rc.1 release candidate should upgrade to 1.27.0-rc.2 or later. The fix is available via the Go change at go.dev/cl/775960. Organizations should update all Go toolchains and rebuild affected binaries; no configuration-based workaround is available other than disabling ECH or PSK session resumption if upgrading is not immediately possible. Red Hat and SUSE have issued advisories and updated packages for their distributions (Red Hat Bugzilla, pkg.go.dev, GitHub Advisory).
The Go security team disclosed the vulnerability via the golang-announce mailing list and published a detailed advisory on pkg.go.dev. Red Hat opened a Bugzilla tracking entry with medium severity and notified a broad list of product teams. SUSE issued security update announcements (SUSE-SU-2026:2817-1 and SUSE-SU-2026:3046-1) for their Go packages, and openSUSE published corresponding security announcements. Microsoft's MSRC also acknowledged the CVE. Community reaction has been measured given the moderate severity and passive-only exploitation requirement (golang-announce, Red Hat Bugzilla).
Fonte: Questo report è stato generato utilizzando l'intelligenza artificiale
Valutazione gratuita delle vulnerabilità
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."