The vulnerability lies in the incorrect handling of IPv6 addresses with zone IDs within URI name constraints in TLS certificates. I started by trying to fetch commit information from the provided URLs. The Gerrit CL URL (https://go.dev/cl/643099) was the most promising. Although direct fetching of its content and the derived commit SHA failed initially, I manually inspected the Gerrit CL page (https://go-review.googlesource.com/c/go/+/643099/) and identified the changed files and the commit SHA (1937a71983197810957991994880899500c80789). The key modified file is src/crypto/x509/verify.go, and the function checkNameConstraints within it. The patch introduces a helper function stripZone and modifies checkNameConstraints to use this helper to remove the zone ID from an IPv6 host string extracted from a URI before it's used for constraint matching. This directly points to checkNameConstraints as the function containing the vulnerable logic, as it was previously passing the IPv6 address with the zone ID (or an incorrectly processed version of it) to the matching logic. The GO-2025-3373 advisory also lists Certificate.Verify as an affected symbol, which calls checkNameConstraints, further supporting this.