Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810 Published on April 8, 2026

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

NVD

Vulnerability Analysis

CVE-2026-33810 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

Improper Validation of Unsafe Equivalence in Input

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.


Products Associated with CVE-2026-33810

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Cryostat
 
Red Hat Openstack
 
Red Hat Enterprise Linux Eus
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Rhel Eus
 
Red Hat Apache Camel Hawtio
 
Red Hat Logging
 
Red Hat Multicluster Globalhub
 
Red Hat Openshift Api Data Protection
 
Red Hat Openshift Compliance Operator
 
Red Hat Ansible Automation Platform
 
Red Hat Hummingbird
 
Red Hat Lightspeed For Runtimes
 
Red Hat Openshift Builds
 
Red Hat Openshift Devspaces
 
Red Hat Openshift Distributed Tracing
 
Red Hat Trusted Artifact Signer
 
Red Hat Webterminal
 
Red Hat Assisted Installer
 
Red Hat Cert Manager
 
Red Hat Confidential Compute Attestation
 
Red Hat Deployment Validator Operator
 
Red Hat Workload Availability Far
 
Red Hat Openshift File Integrity Operator
 
Red Hat Gatekeeper
 
Red Hat Migration Toolkit Applications
 
Red Hat Rhmt
 
Red Hat Mirror Registry
 
Red Hat Multicluster Engine
 
Red Hat Workload Availability Nhc
 
Red Hat Ocp Tools
 
Red Hat Openshift Pipelines
 
Red Hat Serverless
 
Red Hat 3scale Amp
 
Red Hat Certifications
 
Red Hat Connectivity Link
 
Red Hat Edge Manager
 
Red Hat Enterprise Linux Ai
 
Red Hat Openshift Cluster Manager Cli
 
Red Hat Openshift
 
Red Hat Openshift Data Foundation
 
Red Hat Devworkspace
 
Red Hat Openshift Gitops
 
Red Hat Openshift Service On Aws
 
Red Hat Container Native Virtualization
 
Red Hat Quay
 
Red Hat Satellite
 
Red Hat Openshift Security Profiles Operator
 
Red Hat Openshift Custom Metrics Autoscaler
 
Red Hat External Secrets Operator
 
Red Hat Ext Dns Optr
 
Red Hat Lvms
 
Red Hat Workload Availability Mdr
 
Red Hat Network Observ Optr
 
Red Hat Openshift Lightspeed
 
Red Hat Service Mesh
 
Red Hat Openshift Power Monitoring
 
Red Hat Acm
 
Red Hat Advanced Cluster Security
 
Red Hat Rhdh
 
Red Hat Openshift Ai
 
Red Hat Windows Machine Config
 
Red Hat Service Interconnect
 
Red Hat Stf
 
Red Hat Amq Streams
 
Red Hat Zero Trust Workload Identity Manager
 

Affected Versions

Go standard library crypto/x509: Red Hat Cryostat 4 on RHEL 9: Red Hat OpenStack Platform 17.1: Red Hat Enterprise Linux AppStream EUS (v. 10.0): Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream EUS (v.9.4): Red Hat Enterprise Linux AppStream EUS (v.9.6): Red Hat Enterprise Linux AppStream (v. 9): Red Hat HawtIO HawtIO 4.4.0: Logging Subsystem for Red Hat OpenShift 6.0: Logging Subsystem for Red Hat OpenShift 6.4: Red Hat Multicluster Global Hub 1.4.5: Red Hat Multicluster Global Hub 1.5.4: Red Hat Multicluster Global Hub 1.6.2: Red Hat OpenShift API for Data Protection 1.4: Red Hat OpenShift API for Data Protection 1.5: Red Hat OpenShift Compliance Operator 1: Red Hat Ansible Automation Platform 2.6: Red Hat Hardened Images: Red Hat Lightspeed (formerly Insights) for Runtimes 1: Red Hat OpenShift Builds 1.6.5: Red Hat OpenShift Builds 1.7.3: Red Hat OpenShift Dev Spaces 3.28: Red Hat OpenShift distributed tracing 3.9.3: Red Hat Trusted Artifact Signer 1.3: Red Hat Web Terminal 1.11: Red Hat Web Terminal 1.12: Red Hat Web Terminal 1.13: Red Hat Web Terminal 1.14: Red Hat Web Terminal 1.15: Assisted Installer for Red Hat OpenShift Container Platform 2: cert-manager Operator for Red Hat OpenShift: Red Hat Confidential Compute Attestation: Red Hat Deployment Validation Operator: Red Hat Fence Agents Remediation Operator: Red Hat File Integrity Operator: Red Hat Gatekeeper 3: Logging Subsystem for Red Hat OpenShift: Red Hat Machine Deletion Remediation Operator: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Containers: mirror registry for Red Hat OpenShift: Red Hat Multicluster Engine for Kubernetes: Red Hat OpenShift Developer Tools and Services: Red Hat OpenShift Pipelines: Red Hat OpenShift Serverless: Red Hat 3scale API Management Platform 2: Red Hat Certification Program for Red Hat Enterprise Linux 9: Red Hat Connectivity Link 1: Red Hat Edge Manager 1: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat OpenShift Cluster Manager CLI: Red Hat OpenShift Container Platform 4: Red Hat Openshift Data Foundation 4: Red Hat OpenShift Dev Workspaces Operator: Red Hat OpenShift GitOps: Red Hat OpenShift on AWS: Red Hat OpenShift Virtualization 4: Red Hat OpenStack Platform 16.2: Red Hat OpenStack Platform 18.0: Red Hat Quay 3: Red Hat Satellite 6: Red Hat Security Profiles Operator: Custom Metric Autoscaler operator for Red Hat Openshift: External Secrets Operator for Red Hat OpenShift: Red Hat ExternalDNS Operator: Red Hat Logical Volume Manager Storage: mirror registry for Red Hat OpenShift 2: Red Hat Network Observability Operator: Red Hat Node HealthCheck Operator: Red Hat OpenShift Lightspeed: Red Hat OpenShift Service Mesh 2: Red Hat OpenShift Service Mesh 3: Power monitoring for Red Hat OpenShift: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat Advanced Cluster Security 4: Red Hat Ansible Automation Platform 2: Red Hat Developer Hub: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift for Windows Containers: Red Hat Service Interconnect 1: Red Hat Service Interconnect 2: Red Hat Service Telemetry Framework 1.5: Red Hat streams for Apache Kafka 3: Red Hat Zero Trust Workload Identity Manager: Red Hat Zero Trust Workload Identity Manager - Tech Preview:

Exploit Probability

EPSS
0.26%
Percentile
17.32%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.