CVE-2026-27137

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
1.15.15-1~deb11u4
fixed
golang-1.19
bookworm
1.19.8-2
fixed
golang-1.24
forky
1.24.13-2
fixed
sid
1.24.13-2
fixed
trixie
1.24.4-1
fixed
golang-1.25
forky
1.25.7-2
fixed
sid
1.25.7-2
fixed
golang-1.26
forky
vulnerable
sid
vulnerable
Vulnerability Media Exposure
References
https://go.dev/cl/752182
https://go.dev/issue/77952
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4599