The ToASCII and ToUnicode functions incorrectly accepted Punycode-encoded labels
that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com")
incorrectly returned the name "example.com" rather than an error.
The idna package implements the processing algorithm from UTS 46.
Older versions of UTS 46 included a specification bug which permitted
multiple ASCII labels to decode to the same Unicode label.
UTS 46 revision 33 fixed the specification bug.
The idna package now implements the updated specification.
This behavior can lead to privilege escalation in programs using the idna package.
For example, a program which performs privilege checks on the ASCII hostname
may reject "example.com" but permit "xn--example-.com". If that program subsequently
converts the ASCII hostname to Unicode, it will inadvertently permits access
to the Unicode name "example.com".
Thanks to KC1zs4 (https://github.com/KC1zs4) for reporting this issue.
This is CVE-2026-39821 and Go issue https://go.dev/issue/78760.
This was a PUBLIC track issue, tracked in http://b/500342011.
The ToASCII and ToUnicode functions incorrectly accepted Punycode-encoded labels
that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com")
incorrectly returned the name "example.com" rather than an error.
The idna package implements the processing algorithm from UTS 46.
Older versions of UTS 46 included a specification bug which permitted
multiple ASCII labels to decode to the same Unicode label.
UTS 46 revision 33 fixed the specification bug.
The idna package now implements the updated specification.
This behavior can lead to privilege escalation in programs using the idna package.
For example, a program which performs privilege checks on the ASCII hostname
may reject "example.com" but permit "xn--example-.com". If that program subsequently
converts the ASCII hostname to Unicode, it will inadvertently permits access
to the Unicode name "example.com".
Thanks to KC1zs4 (https://github.com/KC1zs4) for reporting this issue.
This is CVE-2026-39821 and Go issue https://go.dev/issue/78760.
This was a PUBLIC track issue, tracked in http://b/500342011.