CVE-2026-42505
cAdvisor Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-42505 is an information disclosure vulnerability in the Go standard library's crypto/tls package, where TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer due to pre-shared key (PSK) identities being leaked in the unencrypted outer Client Hello. It affects Go versions prior to 1.25.12, 1.26.0–1.26.5, and 1.27.0-0–1.27.0-rc.2. The vulnerability was published on July 8, 2026, and is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Go Vuln DB).

Detalhes técnicos

The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). When a TLS handshake employs Encrypted Client Hello — a privacy-enhancing extension designed to encrypt the inner ClientHello containing sensitive fields like the Server Name Indication (SNI) — the Go crypto/tls implementation inadvertently included pre-shared key (PSK) identities in the outer, unencrypted ClientHello message. A passive network observer positioned on the network path can read these PSK identities without any active interaction, effectively correlating encrypted sessions and de-anonymizing connections that ECH was intended to protect. No authentication or user interaction is required for exploitation (GitHub Advisory, Go Issue).

Impacto

The primary impact is a confidentiality breach: passive network observers can de-anonymize TLS connections that rely on Encrypted Client Hello for privacy, by reading exposed PSK identities from unencrypted handshake messages. There is no integrity or availability impact. The vulnerability undermines the privacy guarantees of ECH, potentially allowing traffic analysis, user tracking, or correlation of encrypted sessions across network paths — particularly relevant in environments where ECH is deployed specifically to prevent such surveillance (GitHub Advisory, Go Vuln DB).

Etapas de exploração

  1. Positioning: An attacker positions themselves as a passive observer on a network path between a Go-based TLS client (using ECH) and a server — for example, via ISP-level monitoring, a compromised router, or a network tap.
  2. Traffic capture: The attacker captures TLS handshake traffic using standard packet capture tools (e.g., tcpdump, Wireshark).
  3. Inspect outer ClientHello: The attacker inspects the unencrypted outer ClientHello messages in the captured TLS handshakes, specifically looking for PSK identity fields that should have been protected by ECH.
  4. Extract PSK identities: The attacker reads the exposed pre-shared key identities from the plaintext handshake data, which can be used to correlate sessions, identify users or services, and de-anonymize connections that ECH was intended to protect (GitHub Advisory, Go Issue).

Mitigação e soluções alternativas

Go has released patched versions addressing this vulnerability: Go 1.25.12, Go 1.26.5, and Go 1.27.0-rc.2 or later. Developers and operators should upgrade their Go toolchain to one of these versions and rebuild affected applications. The fix is tracked in the Go change list CL/775960. No configuration-based workaround is documented; upgrading is the recommended remediation. Organizations that do not use Encrypted Client Hello are not affected by this specific issue (GitHub Advisory, Golang Announce).

Reações da comunidade

The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix through the standard Go security release process. The advisory was picked up by vulnerability tracking services including OSV, Tenable Nessus, and VulnDB shortly after publication. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Golang Announce, OSS-Sec).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado cAdvisor Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • datadog-agent-7
NãoSimJun 12, 2026
CVE-2026-41567HIGH7.2
  • cAdvisor logocAdvisor
  • rancher-2.14
NãoSimJun 05, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • paketo-buildpacks-miniconda
NãoSimJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • cAdvisor logocAdvisor
  • backup-restore-operator-fips-8.1
NãoSimJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • k8s-device-plugin-fips
NãoSimJul 01, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades