During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
During TLS session resumption, the crypto/tls library does not account for changes made to the ClientCAs or RootCAs fields of the Config object after the initial handshake. If a user clones the configuration via Config.Clone and modifies the resulting object, or uses the Config.GetConfigForClient method, the resumed session may proceed according to outdated validation rules. As a result, certificate verification during session resumption relies on the old configuration state rather than the current one.
An attacker can resume a TLS session with a client or server that would not be accepted during a new full handshake — effectively bypassing certificate-based trust validation (CWE-295: Improper Certificate Validation). This can lead to unauthorized access to resources or acceptance of connections from entities that should be rejected.
Apply patches available from the vendor according to the references (https://go.dev/cl/737700, https://pkg.go.dev/vuln/GO-2026-4337). Until an update is applied, it is recommended to avoid mutating the ClientCAs and RootCAs fields after performing the initial TLS handshake, and to limit the use of Config.Clone and Config.GetConfigForClient in scenarios requiring dynamic changes to the certificate pool.
Applications written in Go that use the crypto/tls library, where TLS configuration (ClientCAs or RootCAs fields) is modified after the initial handshake — particularly when using Config.Clone or Config.GetConfigForClient. Specific versions are indicated in the vendor's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGolang Go
APPGolang1.26.0< 1.24.131.25.0 – 1.25.7 (bez)
Related vulnerabilities
Błąd arytmetyczny w kompilatorze Golang Go prowadzący do uszkodzenia pamięci
Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów
Błędna klasyfikacja adresów IPv4-mapped IPv6 w bibliotece standardowej Go
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relati...
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" o...