Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
Summary
| CVE | CVE-2026-39821 |
|---|---|
| State | PUBLISHED |
| Assigner | Go |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-22 16:16:20 UTC |
| Updated | 2026-07-17 13:18:31 UTC |
| Description | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com". |
Risk And Classification
Primary CVSS: v3.1 9.6 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS: 0.004780000 probability, percentile 0.381440000 (date 2026-07-16)
Problem Types: CWE-1289 | CWE-1289: Improper Validation of Unsafe Equivalence in Input | CWE-1289 CWE-1289 Improper Validation of Unsafe Equivalence in Input | CWE-1289 Improper Validation of Unsafe Equivalence in Input
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | ADP | CVSS | 8.2 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.2 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:40118 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34357 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36797 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-39821 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37435 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33531 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:41031 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:23262 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33160 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34789 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35993 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:39879 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36808 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:39005 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| pkg.go.dev/vuln/GO-2026-5026 | [email protected] | pkg.go.dev | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:30854 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35994 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37387 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26546 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:40945 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33524 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35827 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30853 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35828 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34364 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35830 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:41036 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36207 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35829 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26547 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35826 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| groups.google.com/g/golang-announce/c/iI-mYSI0lu8 | [email protected] | groups.google.com | Mailing List |
| access.redhat.com/errata/RHSA-2026:39573 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:40262 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| go.dev/issue/78760 | [email protected] | go.dev | Issue Tracking |
| access.redhat.com/errata/RHSA-2026:33163 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37436 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36167 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35831 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:23264 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36105 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:41055 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:41030 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:38995 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36648 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36820 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36796 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33173 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34359 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:40119 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:41066 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36883 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30855 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:41019 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| go.dev/cl/767220 | [email protected] | go.dev | Issue Tracking |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39821.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33183 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33155 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30650 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: KC1zs4 (https://github.com/KC1zs4) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-22T16:00:52.844Z | Reported to Red Hat. |
| ADP | 2026-05-22T15:01:21.462Z | Made public. |
Solutions
ADP: RHSA-2026:41019: RHEM 1.1 for RHEL 10, RHEM 1.1 for RHEL 9
ADP: RHSA-2026:34789: Red Hat OpenShift Container Platform 4.22
ADP: RHSA-2026:36796: RHEM 1.0 for RHEL 9
ADP: RHSA-2026:30855: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:37436: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:35827: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:35826: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:34357: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:39005: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:39573: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:38995: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:30853: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:35830: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:35831: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:30854: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:37435: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:35828: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:35829: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:34359: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:39879: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:36808: DevWorkspace Operator 0.42
ADP: RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4
ADP: RHSA-2026:41030: Multicluster Global Hub 1.4.5
ADP: RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13
ADP: RHSA-2026:26547: Red Hat Advanced Cluster Security for Kubernetes 4.10
ADP: RHSA-2026:36207: Red Hat Advanced Cluster Security for Kubernetes 4.11
ADP: RHSA-2026:26546: Red Hat Advanced Cluster Security for Kubernetes 4.9
ADP: RHSA-2026:36651: Red Hat Edge Manager 1.0
ADP: RHSA-2026:40945: Red Hat Edge Manager 1.1
ADP: RHSA-2026:40118: Red Hat Edge Manager 1.1
ADP: RHSA-2026:33531: Red Hat Enterprise Linux AI 3.4
ADP: RHSA-2026:33524: Red Hat Enterprise Linux AI 3.4
ADP: RHSA-2026:23262: Red Hat Hardened Images
ADP: RHSA-2026:23264: Red Hat Hardened Images
ADP: RHSA-2026:36648: Red Hat OpenShift Builds 1.7.4
ADP: RHSA-2026:41036: Red Hat OpenShift Builds 1.8.1
ADP: RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29
ADP: RHSA-2026:35994: Red Hat OpenShift GitOps 1.19
ADP: RHSA-2026:35993: Red Hat OpenShift GitOps 1.20
ADP: RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6
ADP: RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3
ADP: RHSA-2026:33160: Red Hat OpenShift Service Mesh 3
ADP: RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22
ADP: RHSA-2026:41031: Red Hat Quay 3.10
ADP: RHSA-2026:41066: Red Hat Quay 3.16
ADP: RHSA-2026:40262: Red Hat Quay 3.9
ADP: RHSA-2026:36797: Red Hat Trusted Artifact Signer 1.4
ADP: RHSA-2026:36105: multicluster engine for Kubernetes 2.6
ADP: RHSA-2026:36167: multicluster engine for Kubernetes 2.6
ADP: RHSA-2026:41055: multicluster engine for Kubernetes 2.6
ADP: RHSA-2026:40119: multicluster engine for Kubernetes 2.6
ADP: RHSA-2026:30650: multicluster engine for Kubernetes 2.8
ADP: RHSA-2026:36883: multicluster engine for Kubernetes 2.9
Workarounds
ADP: Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.