CVE-2026-42505
cAdvisor 脆弱性の分析と軽減

概要

CVE-2026-42505 is an information disclosure vulnerability in the Go standard library's crypto/tls package, where TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer due to pre-shared key (PSK) identities being leaked in the unencrypted outer Client Hello. It affects Go versions prior to 1.25.12, 1.26.0–1.26.5, and 1.27.0-0–1.27.0-rc.2. The vulnerability was published on July 8, 2026, and is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Go Vuln DB).

技術的な詳細

The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). When a TLS handshake employs Encrypted Client Hello — a privacy-enhancing extension designed to encrypt the inner ClientHello containing sensitive fields like the Server Name Indication (SNI) — the Go crypto/tls implementation inadvertently included pre-shared key (PSK) identities in the outer, unencrypted ClientHello message. A passive network observer positioned on the network path can read these PSK identities without any active interaction, effectively correlating encrypted sessions and de-anonymizing connections that ECH was intended to protect. No authentication or user interaction is required for exploitation (GitHub Advisory, Go Issue).

影響

The primary impact is a confidentiality breach: passive network observers can de-anonymize TLS connections that rely on Encrypted Client Hello for privacy, by reading exposed PSK identities from unencrypted handshake messages. There is no integrity or availability impact. The vulnerability undermines the privacy guarantees of ECH, potentially allowing traffic analysis, user tracking, or correlation of encrypted sessions across network paths — particularly relevant in environments where ECH is deployed specifically to prevent such surveillance (GitHub Advisory, Go Vuln DB).

エクスプロイテーションのステップ

  1. Positioning: An attacker positions themselves as a passive observer on a network path between a Go-based TLS client (using ECH) and a server — for example, via ISP-level monitoring, a compromised router, or a network tap.
  2. Traffic capture: The attacker captures TLS handshake traffic using standard packet capture tools (e.g., tcpdump, Wireshark).
  3. Inspect outer ClientHello: The attacker inspects the unencrypted outer ClientHello messages in the captured TLS handshakes, specifically looking for PSK identity fields that should have been protected by ECH.
  4. Extract PSK identities: The attacker reads the exposed pre-shared key identities from the plaintext handshake data, which can be used to correlate sessions, identify users or services, and de-anonymize connections that ECH was intended to protect (GitHub Advisory, Go Issue).

軽減策と回避策

Go has released patched versions addressing this vulnerability: Go 1.25.12, Go 1.26.5, and Go 1.27.0-rc.2 or later. Developers and operators should upgrade their Go toolchain to one of these versions and rebuild affected applications. The fix is tracked in the Go change list CL/775960. No configuration-based workaround is documented; upgrading is the recommended remediation. Organizations that do not use Encrypted Client Hello are not affected by this specific issue (GitHub Advisory, Golang Announce).

コミュニティの反応

The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix through the standard Go security release process. The advisory was picked up by vulnerability tracking services including OSV, Tenable Nessus, and VulnDB shortly after publication. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Golang Announce, OSS-Sec).

関連情報


ソースこのレポートは AI を使用して生成されました

関連 cAdvisor 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-39822HIGH7.8
  • cAdvisor logocAdvisor
  • netdata-fips-2.10
いいえはいJul 08, 2026
CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • cpe:2.3:a:docker:engine
いいえはいJun 12, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • datadog-agent-7.77
いいえはいJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • cAdvisor logocAdvisor
  • crossplane-provider-gcp-beta-compute
いいえはいJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
いいえはいJul 01, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者