HIGHCVE-2026-27137Published 2026-03-06Modified 2026-03-10CNA Go

CVE-2026-27137: Incorrect enforcement of email constraints in crypto/x509

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 1.26.1
Affected Products: 1

Fix available

1.26.1

Affected packages

Go standard library / crypto/x509
< 1.26.1 (from 1.26.0-0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

go.dev
go.dev
groups.google.com
pkg.go.dev

Metrics

Fix available