CVE-2025-68121

Published Feb 5, 2026

Last updated a month ago

CVSS critical 10.0
Golang
AWS
Mysql
Container Security
SSL
Tls

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-68121 is a vulnerability found within the `crypto/tls` package of the Go programming language, addressed in Go versions 1.25.6 and 1.24.12. This vulnerability encompasses two primary issues. Firstly, the `Config.Clone` function was found to leak automatically generated session ticket keys, which could potentially enable unauthorized session resumptions across different configurations. Secondly, the vulnerability involved an oversight in how TLS session resumptions were handled on the server side. Specifically, when determining if a session could be resumed, only the expiration of the leaf certificate was checked, neglecting the expiration status of intermediate or root certificates within the full certificate chain. This allowed sessions to be resumed even if a critical certificate in the chain had expired.

Description
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Source
security@golang.org
NVD status
Modified
Products
go

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-295

Social media

Hype score
Not currently trending

  1. Last Week in Cloud Native: ⚙️ Kubernetes v1.36 released: User Namespaces & Kubelet API Auth GA. Kyverno v1.16.4 fixed CVE-2025-68121. cert-manager v1.19.5 resolved CVEs. Full breakdown: https://t.co/kpfZhYAgXO

    @mfahlandt

    27 Apr 2026

    192 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔍 Lambda Watchdog detected that CVE-2025-68121 is no longer present in latest AWS Lambda base image scans. https://t.co/AienQPpdci #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    23 Feb 2026

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. After analyzing 84% of vulnerabilities from past week, CVE-2025-68121 has 16 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    14 Feb 2026

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. After analyzing 70% of vulnerabilities from past week, CVE-2025-68121 has 16 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    13 Feb 2026

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. After analyzing 56% of vulnerabilities from past week, CVE-2025-68121 has 14 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    12 Feb 2026

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. After analyzing 42% of vulnerabilities from past week, CVE-2025-68121 has 14 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    11 Feb 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. A security vulnerability (CVE-2025-68121) in `golang` `crypto/tls` may lead to unexpected session resumption. Developers should review `golang` deployments and consider updating. #golang #TLS #infosec https://t.co/0Z74dpwA6H

    @pulsepatchio

    11 Feb 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    4 Replies

    0 Quotes

  8. 🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-68121 impacts libcap in 47 Lambda base images. Details: https://t.co/AienQPpdci More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    8 Feb 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Go 1.25.7, 1.24.13 fix 2 CVEs https://t.co/bf31PXLyCI CVE-2025-61732: cmd/cgo: Discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the cgo binary CVE-2025-68121: crypto/tls: Unexpected session resumption when using Config.GetConfigForClient

    @oss_security

    8 Feb 2026

    355 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-68121 Session Resumption Bypass in Go crypto/tls Config.GetConf... https://t.co/4QQ5o3ELgP Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd

    @VulmonFeeds

    5 Feb 2026

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-68121 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake,… https://t.co/eWtYlhtxlj

    @CVEnew

    5 Feb 2026

    326 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🎉 Go 1.25.7 and 1.24.13 are released! 🔐 Security: Includes a security fix for cmd/cgo (CVE-2025-61732) and an update for crypto/tls (CVE-2025-68121). 🗣 Announcement: https://t.co/gn4BwmFBh4 📦 Download: https://t.co/cZRQix5aeM #golang https://t.co/NnF8ayxKrK

    @golang

    4 Feb 2026

    12719 Impressions

    44 Retweets

    308 Likes

    18 Bookmarks

    2 Replies

    2 Quotes

  13. 🥳 Go 1.26 Release Candidate 3 is released! 🔐 Security: Includes an update for crypto/tls (CVE-2025-68121). 🏃‍♂️ Run it in dev! Run it in prod! File bugs! https://t.co/Ul1xGhvlkf 📢 Announcement: https://t.co/WTZSMY1fay ⬇️ Download: https://t.co/NoKrW5T8JG

    @golang

    4 Feb 2026

    16768 Impressions

    53 Retweets

    380 Likes

    22 Bookmarks

    4 Replies

    2 Quotes

  14. Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration

    @oss_security

    16 Jan 2026

    917 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  15. 🥳 Go 1.26 Release Candidate 2 is released! 🔐 Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). 🏃‍♀️ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  16. 🎊 Go 1.25.6 and 1.24.12 are released! 🔐 Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). 📣 Announcement: https://t.co/seVA1REoeH 📦 Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

  17. A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.​‌⁣‌⁣‌‌‌‌‌⁣⁣‌‌‌‌⁣‌⁣⁣

    @_mattata

    13 Jan 2026

    327 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2024-31884
  2. CVE-2025-14269
  3. In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.CVE-2026-46300
  4. Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.CVE-2026-8838
  5. A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.CVE-2026-42009

References

Sources include official advisories and independent security research.