CVE-2026-27137

Summary

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Affected Software

VendorProductVersion RangeStatus
Go standard librarycrypto/x5091.26.0-0 < 1.26.1affected

Weaknesses

  • CWE-295: Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

crypto/x509: Incorrect enforcement of email constraints in crypto/x509

Additional References

References