What is GHSA-4279-q6mj-392r?

GHSA-4279-q6mj-392r is a security advisory published by GitHub Security Advisories with unknown severity. (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS...

Which CVE IDs does GHSA-4279-q6mj-392r cover?

GHSA-4279-q6mj-392r covers the following CVE IDs: CVE-2026-27145. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-4279-q6mj-392runknown

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS...

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-27145 →

📋 Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-27145
https://go.dev/cl/783621
https://go.dev/issue/79694
https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
https://pkg.go.dev/vuln/GO-2026-5037
https://github.com/advisories/GHSA-4279-q6mj-392r