Listen to this Post
CVE-2026-42505 – Invoking Encrypted Client Hello privacy leak in crypto/tls
How the vulnerability works
The Go standard library’s `crypto/tls` package implements TLS 1.3, which includes support for Encrypted Client Hello (ECH) – a privacy extension that encrypts the Client Hello message to hide sensitive handshake parameters from network observers. However, when ECH is used, the implementation improperly includes the pre‑shared key (PSK) identities inside the unencrypted outer Client Hello. This happens because the `clientHelloMsg.marshalMsg` routine does not strip the PSK extension when ECH is active, as documented in the upstream issue golang/go79282.
A passive network observer positioned between the client and the server can read the plaintext outer Client Hello and extract the PSK identities. These identities often correspond to specific services, user sessions, or application contexts, allowing the observer to link the TLS handshake to a particular user or service – effectively de‑anonymizing the connection that was supposed to be protected by ECH.
The vulnerability affects all Go versions that support ECH and PSK negotiation:
– Go 1.25.x before 1.25.12
– Go 1.26.x from 1.26.0 up to (but not including) 1.26.5
– Go 1.27.x release candidates before 1.27.0‑rc.2
The flaw was assigned CWE‑201 (Insertion of Sensitive Information Into Sent Data) and has a CVSS 3.1 base score of 5.3 (MEDIUM) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The attack is network‑accessible, requires no privileges or user interaction, and has low complexity; it only affects confidentiality (low impact).
The Go project credited Coia Prant (github.com/rbqvq) for discovering and reporting the issue. The fix (CL 775960) ensures that when ECH is being used, the PSK extension is omitted from the outer Client Hello, thereby preserving the privacy guarantees that ECH was designed to provide.
DailyCVE Form
Platform: Go standard library Version: <1.25.12, 1.26.0-1.26.4, 1.27.0-rc.1 Vulnerability: Information Disclosure (CWE-201) Severity: Medium (CVSS 5.3) Date: 2026-07-08 Prediction: 2026-07-15 (expected patch release)
What Undercode Say
Analytics:
- EPSS score: 0.42% (0.33836) – low probability of exploitation
- CISA SSVC assessment: Exploitation – none; Automatable – yes; Technical Impact – partial
- VEX status: 147 affected, 247 under investigation
- Public references: Go CL 775960, Issue 79282, golang‑announce mailing list
- Affected routines:
clientHelloMsg.marshalMsg,Conn.Handshake,Conn.Read,Conn.Write,Dial,QUICConn., etc.
Bash commands to check Go version and verify fix:Check current Go version go version If using Go 1.25.x, ensure >= 1.25.12 If using Go 1.26.x, ensure >= 1.26.5 If using Go 1.27.x, ensure >= 1.27.0-rc.2 For containerised environments, inspect the base image: docker run --rm your-image go version To test whether the PSK extension is leaked, use a packet capture: tcpdump -i any -w handshake.pcap 'port 443' Then inspect the outer Client Hello for the "pre_shared_key" extension.
Exploit
A passive network observer (e.g., an ISP, a malicious Wi‑Fi access point, or a compromised router) can:
1. Capture the TLS 1.3 handshake packets during the initial connection.
2. Parse the plaintext outer Client Hello (which is sent before any encryption is established).
3. Extract the `pre_shared_key` extension, which contains one or more PSK identities.
4. Correlate those identities with known services, user sessions, or application fingerprints, thereby de‑anonymizing the client and the intended server.
The attack requires no active injection or modification of traffic – it is purely passive, making it difficult to detect. The disclosed PSK identities can be used for further reconnaissance, user tracking, or session profiling.
Protection
- Upgrade Go to a patched version:
- Go 1.25.12 or later
- Go 1.26.5 or later
- Go 1.27.0‑rc.2 or later (or the final 1.27.0 release)
- Apply security updates from your Linux distribution (e.g., SUSE‑SU‑2026:28 for SUSE, openSUSE go1.26‑1.26.5‑1.1).
- If upgrading is not immediately possible, disable ECH on the client side by configuring the TLS client without the ECH extension (though this reduces privacy).
- Monitor for unexpected PSK extensions in outgoing Client Hellos using network inspection tools.
Impact
- Confidentiality breach: An attacker can learn which PSK identities are being used, potentially revealing the target service, user account, or session token.
- Privacy degradation: The primary purpose of ECH – to hide the Server Name Indication (SNI) and other sensitive handshake data – is undermined, as the PSK identities often contain similar or even more granular information.
- Widespread exposure: The vulnerability affects all applications using Go’s `crypto/tls` with ECH enabled, including many cloud‑native services, microservices, and client tools.
- No integrity or availability impact: The attack is passive and does not alter the handshake or cause denial of service.
- Long‑term risk: If left unpatched, persistent observers can build profiles of users and services over time, enabling targeted surveillance or social engineering attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

