🟡 Medium  |  Source: Microsoft Security Response Center


CVE-2026-42505 is a privacy vulnerability in Go’s crypto/tls package affecting the Encrypted Client Hello (ECH) feature, which is designed to prevent network observers from identifying which server a client is connecting to. A flaw in the implementation can leak the intended destination, undermining the privacy protections ECH is meant to provide. This is particularly relevant for Azure-hosted services and applications built using Go that rely on TLS for confidentiality of connection metadata.

Security Architect’s Take: Audit any Azure workloads or containerised applications using Go’s crypto/tls package and ensure you are running a patched version of the Go runtime. Pay particular attention to services where connection-destination privacy is a compliance or threat-model requirement, such as those handling sensitive client routing or zero-trust network architectures.

Original advisory: CVE-2026-42505 Invoking Encrypted Client Hello privacy leak in crypto/tls