
PEACH
Uma estrutura de isolamento de inquilino
CVE-2026-42505 is an information disclosure vulnerability in the Go standard library's crypto/tls package, where TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer due to pre-shared key (PSK) identities being leaked in the unencrypted outer Client Hello. It affects Go versions prior to 1.25.12, 1.26.0–1.26.5, and 1.27.0-0–1.27.0-rc.2. The vulnerability was published on July 8, 2026, and is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data). It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Go Vuln DB).
The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). When a TLS handshake employs Encrypted Client Hello — a privacy-enhancing extension designed to encrypt the inner ClientHello containing sensitive fields like the Server Name Indication (SNI) — the Go crypto/tls implementation inadvertently included pre-shared key (PSK) identities in the outer, unencrypted ClientHello message. A passive network observer positioned on the network path can read these PSK identities without any active interaction, effectively correlating encrypted sessions and de-anonymizing connections that ECH was intended to protect. No authentication or user interaction is required for exploitation (GitHub Advisory, Go Issue).
The primary impact is a confidentiality breach: passive network observers can de-anonymize TLS connections that rely on Encrypted Client Hello for privacy, by reading exposed PSK identities from unencrypted handshake messages. There is no integrity or availability impact. The vulnerability undermines the privacy guarantees of ECH, potentially allowing traffic analysis, user tracking, or correlation of encrypted sessions across network paths — particularly relevant in environments where ECH is deployed specifically to prevent such surveillance (GitHub Advisory, Go Vuln DB).
tcpdump, Wireshark).Go has released patched versions addressing this vulnerability: Go 1.25.12, Go 1.26.5, and Go 1.27.0-rc.2 or later. Developers and operators should upgrade their Go toolchain to one of these versions and rebuild affected applications. The fix is tracked in the Go change list CL/775960. No configuration-based workaround is documented; upgrading is the recommended remediation. Organizations that do not use Encrypted Client Hello are not affected by this specific issue (GitHub Advisory, Golang Announce).
The Go team disclosed the vulnerability via the golang-announce mailing list and published a fix through the standard Go security release process. The advisory was picked up by vulnerability tracking services including OSV, Tenable Nessus, and VulnDB shortly after publication. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Golang Announce, OSS-Sec).
Origem: Este relatório foi gerado usando IA
Avaliação de vulnerabilidade gratuita
Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.
Marque uma demonstração personalizada
"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."