CVE-2025-68121 - Vulnerability Details

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Go Standard Library	Crypto Tls
Golang	Go

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go:1.26.0:rc1::::::
	cpe:2.3:a:golang:go:1.26.0:rc2::::::

No data.

References

Link	Providers
https://go.dev/cl/737700
https://go.dev/issue/77217
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
https://nvd.nist.gov/vuln/detail/CVE-2025-68121
https://pkg.go.dev/vuln/GO-2026-4337
https://www.cve.org/CVERecord?id=CVE-2025-68121

History

Thu, 12 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-68121 https://www.cve.org/CVERecord?id=CVE-2025-68121
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang Golang go
CPEs		cpe:2.3:a:golang:go:::::::: cpe:2.3:a:golang:go:1.26.0:rc1:::::: cpe:2.3:a:golang:go:1.26.0:rc2::::::
Vendors & Products		Golang Golang go

Fri, 06 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-295
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go Standard Library Go Standard Library crypto Tls
Vendors & Products		Go Standard Library Go Standard Library crypto Tls

Thu, 05 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Title		Unexpected session resumption in crypto/tls
References		https://go.dev/cl/737700 https://go.dev/issue/77217 https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://pkg.go.dev/vuln/GO-2026-4337

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-02-05T17:48:44.141Z

Updated: 2026-02-06T15:35:32.823Z

Reserved: 2025-12-15T16:48:04.451Z

Link: CVE-2025-68121

Vulnrichment

Updated: 2026-02-06T15:32:38.457Z

NVD

Status : Analyzed

Published: 2026-02-05T18:16:10.857

Modified: 2026-02-10T16:08:03.303

Link: CVE-2025-68121

Redhat

Severity : Moderate

Publid Date: 2026-02-05T17:48:44Z

Links: CVE-2025-68121 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object