CVE-2025-61727: Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploit Status

Not Exploited

Patch Tuesday

2025-Dec

Released

2025-12-06

Last Updated

2026-03-31

EPSS Score

0.01% (percentile: 1.4%)

Affected Products (18)

Open Source Software

• cbl2 golang 1.18.8-10 on CBL Mariner 2.0
• cbl2 golang 1.22.7-5 on CBL Mariner 2.0
• azl3 golang 1.23.12-1 on Azure Linux 3.0
• azl3 golang 1.25.5-1 on Azure Linux 3.0
• azl3 python-tensorboard 2.16.2-6 on Azure Linux 3.0
• cbl2 gcc 11.2.0-9 on CBL Mariner 2.0
• cbl2 msft-golang 1.24.11-1 on CBL Mariner 2.0
• cbl2 python-tensorboard 2.11.0-3 on CBL Mariner 2.0
• cbl2 tensorflow 2.11.1-2 on CBL Mariner 2.0

Other

• 20973-17084
• 21051-17084
• 21113-17084
• 21117-17086
• 20863-17084
• 20867-17086
• 20942-17086

Mariner

• azl3 gcc 13.2.0-7 on Azure Linux 3.0
• azl3 tensorflow 2.16.1-9 on Azure Linux 3.0

Revision History

• 2025-12-06: Information published.
• 2025-12-07: Information published.
• 2025-12-08: Information published.
• 2025-12-09: Information published.
• 2025-12-12: Information published.
• 2025-12-13: Information published.
• 2026-02-21: Information published.
• 2026-03-03: Information published.
• 2026-03-04: Information published.
• 2026-03-12: Information published.
• 2026-03-31: Information published.