Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-39821

Summary
Assigner-Go
Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc
Published At-22 May, 2026 | 15:01
Updated At-23 May, 2026 | 03:55
Rejected At-
Credits

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Go
Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc
Published At:22 May, 2026 | 15:01
Updated At:23 May, 2026 | 03:55
Rejected At:
▼CVE Numbering Authority (CNA)
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected Products
Vendor
golang.org/x/net
Product
golang.org/x/net/idna
Collection URL
https://pkg.go.dev
Package Name
golang.org/x/net/idna
Program Routines
  • Profile.process
  • Profile.ToASCII
  • Profile.ToUnicode
  • ToASCII
  • ToUnicode
Default Status
unaffected
Versions
Affected
  • From 0 before 0.55.0 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-1289: Improper Validation of Unsafe Equivalence in Input
Type: N/A
CWE ID: N/A
Description: CWE-1289: Improper Validation of Unsafe Equivalence in Input
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
KC1zs4 (https://github.com/KC1zs4)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/cl/767220
N/A
https://go.dev/issue/78760
N/A
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
N/A
https://pkg.go.dev/vuln/GO-2026-5026
N/A
Hyperlink: https://go.dev/cl/767220
Resource: N/A
Hyperlink: https://go.dev/issue/78760
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2026-5026
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-1289CWE-1289 Improper Validation of Unsafe Equivalence in Input
Type: CWE
CWE ID: CWE-1289
Description: CWE-1289 Improper Validation of Unsafe Equivalence in Input
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet

Similar CVEs

0Records found
Details not found