CVE-2025-68121

Опубликовано: 05 фев. 2026

Источник: nvd

CVSS3: 10

CVSS3: 7.4

EPSS Низкий

Описание

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Ссылки

https://go.dev/cl/737700
Patch
https://go.dev/issue/77217
Exploit
Issue Tracking
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
Mailing List
Third Party Advisory
https://pkg.go.dev/vuln/GO-2026-4337
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

Версия до 1.24.13 (исключая)

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

Версия от 1.25.0 (включая) до 1.25.7 (исключая)

cpe:2.3:a:golang:go:1.26.0:rc1:*:*:*:*:*:*

cpe:2.3:a:golang:go:1.26.0:rc2:*:*:*:*:*:*

EPSS

Процентиль: 4%

0.00017

Низкий

10 Critical

CVSS3

7.4 High

CVSS3

Дефекты

CWE-295

Связанные уязвимости

CVE-2025-68121

CVSS3: 10

ubuntu

около 2 месяцев назад

CVE-2025-68121

CVSS3: 7.4

redhat

около 2 месяцев назад

CVE-2025-68121

msrc

21 день назад

Unexpected session resumption in crypto/tls

CVE-2025-68121

CVSS3: 10

debian

около 2 месяцев назад

During session resumption in crypto/tls, if the underlying Config has ...

RLSA-2026:3842

rocky

20 дней назад

Moderate: delve security update

EPSS

Процентиль: 4%

0.00017

Низкий

10 Critical

CVSS3

7.4 High

CVSS3

Дефекты

CWE-295