
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-42505 is an information disclosure vulnerability in the Go standard library's crypto/tls package, where TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer due to pre-shared key (PSK) identities being leaked in the unencrypted outer Client Hello. It affects Go versions prior to 1.25.12, 1.26.0–1.26.5, and 1.27.0-0–1.27.0-rc.2. The vulnerability was published on July 8, 2026, and is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Go Vuln DB).
The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). When a TLS handshake employs Encrypted Client Hello — a privacy-enhancing extension designed to encrypt the inner ClientHello containing sensitive fields like the Server Name Indication (SNI) — the Go crypto/tls implementation inadvertently included pre-shared key (PSK) identities in the outer, unencrypted ClientHello message. A passive network observer positioned on the network path can read these PSK identities without any active interaction, effectively correlating encrypted sessions and de-anonymizing connections that ECH was intended to protect. No authentication or user interaction is required for exploitation (GitHub Advisory, Go Issue).
The primary impact is a confidentiality breach: passive network observers can de-anonymize TLS connections that rely on Encrypted Client Hello for privacy, by reading exposed PSK identities from unencrypted handshake messages. There is no integrity or availability impact. The vulnerability undermines the privacy guarantees of ECH, potentially allowing traffic analysis, user tracking, or correlation of encrypted sessions across network paths — particularly relevant in environments where ECH is deployed specifically to prevent such surveillance (GitHub Advisory, Go Vuln DB).
tcpdump, Wireshark).Go has released patched versions addressing this vulnerability: Go 1.25.12, Go 1.26.5, and Go 1.27.0-rc.2 or later. Developers and operators should upgrade their Go toolchain to one of these versions and rebuild affected applications. The fix is tracked in the Go change list CL/775960. No configuration-based workaround is documented; upgrading is the recommended remediation. Organizations that do not use Encrypted Client Hello are not affected by this specific issue (GitHub Advisory, Golang Announce).
The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix through the standard Go security release process. The advisory was picked up by vulnerability tracking services including OSV, Tenable Nessus, and VulnDB shortly after publication. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Golang Announce, OSS-Sec).
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"