CVE-2026-27137

HIGH7.5EPSS 0.02%

Incorrect enforcement of email constraints in crypto/x509

發布日:2026/3/6修改日:2026/5/20

描述

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

受影響套件(3)

Bitnami/golang>= 1.26.0-0, < 1.26.1
Debian/golang-1.26from 0, < 1.26.1-1
Go/stdlib>= 1.26.0-0, < 1.26.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(6)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27137
PATCHhttps://go.dev/cl/752182
REPORThttps://go.dev/issue/77952
WEBhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27137
WEBhttps://pkg.go.dev/vuln/GO-2026-4599