CVE-2026-39821— Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| golang.org/x/net | golang.org/x/net/idna | < 0.55.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39821
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
Source: NVD (National Vulnerability Database)
Vulnerability Description
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Google Go 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Google Go是美国谷歌(Google)公司的一种静态强类型、编译型、并发型,并具有垃圾回收功能的编程语言。 Google Go存在安全漏洞,该漏洞源于ToASCII和ToUnicode函数错误接受解码为纯ASCII标签的Punycode编码标签,可能导致权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| golang.org/x/net | golang.org/x/net/idna | 0 ~ 0.55.0 | - |
II. Public POCs for CVE-2026-39821
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39821
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-39821 (1)
Vendor Advisories for CVE-2026-39821 (3)
Same Patch Batch · golang.org/x/net · 2026-05-22 · 6 CVEs total
| CVE-2026-25680 | Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html | |
| CVE-2026-25681 | Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/ | |
| CVE-2026-42502 | Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html | |
| CVE-2026-42506 | Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net | |
| CVE-2026-27136 | Invoking duplicate attributes can cause XSS in golang.org/x/net/html |
IV. Related Vulnerabilities
Same vendor: golang.org/x/net
- CVE-2026-27136
Invoking duplicate attributes can cause XSS in golang.org/x - CVE-2026-25680
Invoking denial of service when parsing arbitrary HTML in go - CVE-2026-25681
Invoking incorrect handling of character references in DOCT - CVE-2026-42502
Invoking incorrect handling of HTML elements in foreign con - CVE-2026-42506
Invoking incorrect handling of namespaced elements in forei
V. Comments for CVE-2026-39821
No comments yet