CVE-2026-27137 | THREATINT

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

PUBLISHED Reserved 2026-02-17 | Published 2026-03-06 | Updated 2026-03-08 | Assigner Go

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status

unaffected

1.26.0-0 (semver) before 1.26.1

affected

Credits

Jakub Ciolek

References

go.dev/cl/752182

go.dev/issue/77952

groups.google.com/g/golang-announce/c/EdhZqrQ98hk

pkg.go.dev/vuln/GO-2026-4599

cve.org (CVE-2026-27137)

nvd.nist.gov (CVE-2026-27137)

Download JSON