CVE-2025-68121

Name
CVE-2025-68121
Description
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@golang.org https://go.dev/cl/737700
security@golang.org https://go.dev/issue/77217
security@golang.org https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
security@golang.org https://pkg.go.dev/vuln/GO-2026-4337

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.24.13
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.25.0 < 1.25.7
cpe:2.3:a:golang:go:1.26.0:rc1:*:*:*:*:*:* go == None == 1.26.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
rclone edge-community 1.73.5-r0 Mike Crute <mike@crute.us> fixed
go edge-community 1.26.0-r1 Achill Gilgenast <achill@achill.org> fixed
go edge-community 1.26.0-r0 Achill Gilgenast <achill@achill.org> fixed
go edge-community 1.25.7-r0 Achill Gilgenast <achill@achill.org> fixed
go edge-community 1.25.6-r0 Achill Gilgenast <achill@achill.org> fixed
go edge-community 1.25.5-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.25.4-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.25.3-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.25.2-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.25.1-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.25.0-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.24.6-r1 Achill Gilgenast <achill@achill.org> possibly vulnerable
go edge-community 1.24.6-r0 fossdd <fossdd@pwned.life> possibly vulnerable
go edge-community 1.24.5-r1 fossdd <fossdd@pwned.life> possibly vulnerable
go edge-community 1.24.5-r0 fossdd <fossdd@pwned.life> possibly vulnerable
go edge-community 1.24.4-r0 fossdd <fossdd@pwned.life> possibly vulnerable
go edge-community 1.24.3-r1 None possibly vulnerable
go edge-community 1.24.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.24.2-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.24.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.24.1-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.24.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.24.0-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.23.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.23.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.23.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.23.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.23.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.23.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.4-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.4-r0 None possibly vulnerable
go edge-community 1.22.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.1-r2 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.1-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.0-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.22.0-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.3-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.0-r2 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.0-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.21.0-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.7-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.6-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.5-r2 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.5-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.2-r1 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.20-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.4-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.3-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.2-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.19.1-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.18.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> possibly vulnerable
go edge-community 1.18.4-r0 None possibly vulnerable
go edge-community 1.18.1-r0 None possibly vulnerable
go edge-community 1.17.8-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.7-r0 None possibly vulnerable
go edge-community 1.17.6-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.2-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.17-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.7-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.6-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
go edge-community 1.16.2-r0 None possibly vulnerable
go edge-community 1.15.7-r0 None possibly vulnerable
go edge-community 1.15.5-r0 None possibly vulnerable
go edge-community 1.15.2-r0 None possibly vulnerable
go edge-community 1.15-r0 None possibly vulnerable
go edge-community 1.14.5-r0 None possibly vulnerable
go edge-community 1.13.7-r0 None possibly vulnerable
go edge-community 1.13.2-r0 None possibly vulnerable
go edge-community 1.13.1-r0 None possibly vulnerable
go edge-community 1.12.8-r0 None possibly vulnerable
go edge-community 1.11.5-r0 None possibly vulnerable
go edge-community 1.9.4-r0 None possibly vulnerable
go 3.23-community 1.25.7-r0 Achill Gilgenast <achill@achill.org> fixed
go 3.23-community 1.25.6-r0 Achill Gilgenast <achill@achill.org> fixed
go 3.23-community 1.25.5-r0 Achill Gilgenast <achill@achill.org> possibly vulnerable