CVE-2026-27137
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | crypto/x509 | 1.26.0-0 < 1.26.1 | affected |
Weaknesses
- CWE-295: Improper Certificate Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
crypto/x509: Incorrect enforcement of email constraints in crypto/x509
Additional References
- https://access.redhat.com/security/cve/CVE-2026-27137
- https://bugzilla.redhat.com/show_bug.cgi?id=2445345
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27137.json
- https://access.redhat.com/errata/RHSA-2026:28047
- https://access.redhat.com/errata/RHSA-2026:10929
- https://access.redhat.com/errata/RHSA-2026:8842
- https://access.redhat.com/errata/RHSA-2026:10169
- https://access.redhat.com/errata/RHSA-2026:19022
- https://access.redhat.com/errata/RHSA-2026:22937
- https://access.redhat.com/errata/RHSA-2026:19049
- https://access.redhat.com/errata/RHSA-2026:22450
- https://access.redhat.com/errata/RHSA-2026:19132
- https://access.redhat.com/errata/RHSA-2026:28038
- https://access.redhat.com/errata/RHSA-2026:19181
- https://access.redhat.com/errata/RHSA-2026:23228
- https://access.redhat.com/errata/RHSA-2026:22714
- https://access.redhat.com/errata/RHSA-2026:9872
- https://access.redhat.com/errata/RHSA-2026:26585
- https://access.redhat.com/errata/RHSA-2026:11800
- https://access.redhat.com/errata/RHSA-2026:22862
- https://access.redhat.com/errata/RHSA-2026:22423
- https://access.redhat.com/errata/RHSA-2026:22347
- https://access.redhat.com/errata/RHSA-2026:5110
- https://access.redhat.com/errata/RHSA-2026:21769
- https://access.redhat.com/errata/RHSA-2026:23345
- https://access.redhat.com/errata/RHSA-2026:29854
- https://access.redhat.com/errata/RHSA-2026:26568
- https://access.redhat.com/errata/RHSA-2026:8151
- https://access.redhat.com/errata/RHSA-2026:13545
- https://access.redhat.com/errata/RHSA-2026:7291
- https://access.redhat.com/errata/RHSA-2026:9052
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:5549
- https://access.redhat.com/errata/RHSA-2026:10158
- https://access.redhat.com/errata/RHSA-2026:10175
- https://access.redhat.com/errata/RHSA-2026:9697
- https://access.redhat.com/errata/RHSA-2026:9698
- https://access.redhat.com/errata/RHSA-2026:9699
- https://access.redhat.com/errata/RHSA-2026:9385
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:14879
- https://access.redhat.com/errata/RHSA-2026:10125
- https://access.redhat.com/errata/RHSA-2026:10250
- https://access.redhat.com/errata/RHSA-2026:10225
- https://access.redhat.com/errata/RHSA-2026:8338
- https://access.redhat.com/errata/RHSA-2026:8337
- https://access.redhat.com/errata/RHSA-2026:8167
References
- https://go.dev/cl/752182
- https://go.dev/issue/77952
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
- https://pkg.go.dev/vuln/GO-2026-4599
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.