Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-68121

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Published

2026-02-05T18:16:10.857

Last Modified

2026-02-10T16:08:03.303

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 10.0 (CRITICAL)

Weaknesses

Type: Secondary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.24.13	Yes
Application	golang	go	< 1.25.7	Yes
Application	golang	go	1.26.0	Yes
Application	golang	go	1.26.0	Yes

References

https://go.dev/cl/737700 Patch ([email protected])
https://go.dev/issue/77217 Exploit, Issue Tracking ([email protected])
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk Mailing List, Third Party Advisory ([email protected])
https://pkg.go.dev/vuln/GO-2026-4337 Vendor Advisory ([email protected])