CVE-2026-27137

high

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27137.json

https://pkg.go.dev/vuln/GO-2026-4599

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

https://go.dev/issue/77952

https://go.dev/cl/752182

https://bugzilla.redhat.com/show_bug.cgi?id=2445345

https://access.redhat.com/security/cve/CVE-2026-27137

https://access.redhat.com/errata/RHSA-2026:9872

https://access.redhat.com/errata/RHSA-2026:9699

https://access.redhat.com/errata/RHSA-2026:9698

https://access.redhat.com/errata/RHSA-2026:9697

https://access.redhat.com/errata/RHSA-2026:9385

https://access.redhat.com/errata/RHSA-2026:9052

https://access.redhat.com/errata/RHSA-2026:8842

https://access.redhat.com/errata/RHSA-2026:8338

https://access.redhat.com/errata/RHSA-2026:8337

https://access.redhat.com/errata/RHSA-2026:8167

https://access.redhat.com/errata/RHSA-2026:8151

https://access.redhat.com/errata/RHSA-2026:7291

https://access.redhat.com/errata/RHSA-2026:5549

https://access.redhat.com/errata/RHSA-2026:5110

https://access.redhat.com/errata/RHSA-2026:36796

https://access.redhat.com/errata/RHSA-2026:29854

https://access.redhat.com/errata/RHSA-2026:28047

https://access.redhat.com/errata/RHSA-2026:28038

https://access.redhat.com/errata/RHSA-2026:26585

https://access.redhat.com/errata/RHSA-2026:26568

https://access.redhat.com/errata/RHSA-2026:23345

https://access.redhat.com/errata/RHSA-2026:23228

https://access.redhat.com/errata/RHSA-2026:22937

https://access.redhat.com/errata/RHSA-2026:22862

https://access.redhat.com/errata/RHSA-2026:22714

https://access.redhat.com/errata/RHSA-2026:22450

https://access.redhat.com/errata/RHSA-2026:22423

https://access.redhat.com/errata/RHSA-2026:22347

https://access.redhat.com/errata/RHSA-2026:21769

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:19181

https://access.redhat.com/errata/RHSA-2026:19132

https://access.redhat.com/errata/RHSA-2026:19049

https://access.redhat.com/errata/RHSA-2026:19022

https://access.redhat.com/errata/RHSA-2026:14879

https://access.redhat.com/errata/RHSA-2026:13545

https://access.redhat.com/errata/RHSA-2026:11800

https://access.redhat.com/errata/RHSA-2026:10929

https://access.redhat.com/errata/RHSA-2026:10250

https://access.redhat.com/errata/RHSA-2026:10225

https://access.redhat.com/errata/RHSA-2026:10184

https://access.redhat.com/errata/RHSA-2026:10175

https://access.redhat.com/errata/RHSA-2026:10169

https://access.redhat.com/errata/RHSA-2026:10158

https://access.redhat.com/errata/RHSA-2026:10125

Details

Source: Mitre, NVD

Published: 2026-03-06

Updated: 2026-07-09

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00009