CVE-2026-27137

high

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

References

https://pkg.go.dev/vuln/GO-2026-4599

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

https://go.dev/issue/77952

https://go.dev/cl/752182

Details

Source: Mitre, NVD

Published: 2026-03-06

Updated: 2026-03-10

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00009