diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
index a2d3d809642..be6a5798e58 100644
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@@ -815,7 +815,7 @@ func parseCertificate(der []byte) (*Certificate, error) {
 	if !tbs.ReadOptionalASN1Integer(&cert.Version, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific(), 0) {
 		return nil, errors.New("x509: malformed version")
 	}
-	if cert.Version < 0 {
+	if cert.Version < 0 || cert.Version > 3 {
 		return nil, errors.New("x509: malformed version")
 	}
 	// for backwards compat reasons Version is one-indexed,