CVE-2026-27137

HIGH7.5EPSS 0.02%

Incorrect enforcement of email constraints in crypto/x509

Published: 3/6/2026Modified: 5/20/2026

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Affected packages (3)

Bitnami/golang>= 1.26.0-0, < 1.26.1
Debian/golang-1.26from 0, < 1.26.1-1
Go/stdlib>= 1.26.0-0, < 1.26.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27137
PATCHhttps://go.dev/cl/752182
REPORThttps://go.dev/issue/77952
WEBhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27137
WEBhttps://pkg.go.dev/vuln/GO-2026-4599