CVE-2026-27137

EUVD-2026-10085
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
golanggo
1.26.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
1.15.15-1~deb11u4
fixed
golang-1.19
bookworm
1.19.8-2
fixed
golang-1.24
trixie
1.24.4-1
fixed
golang-1.25
forky
1.25.10-2
fixed
sid
1.25.11-1
fixed
golang-1.26
forky
1.26.3-2
fixed
sid
1.26.4-1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
go-toolset
RHEL 9
0:1.26.2-1.el9_8
fixed
golang
RHEL 9
0:1.26.2-1.el9_8
fixed
golang-bin
RHEL 9
0:1.26.2-1.el9_8
fixed
golang-docs
RHEL 9
0:1.26.2-1.el9_8
fixed
golang-misc
RHEL 9
0:1.26.2-1.el9_8
fixed
golang-race
RHEL 9
0:1.26.2-1.el9_8
fixed
golang-src
RHEL 9
0:1.26.2-1.el9_8
fixed
golang-tests
RHEL 9
0:1.26.2-1.el9_8
fixed
image-builder
RHEL 9
0:52.1-1.el9_8
fixed
osbuild-composer
RHEL 9
0:165.1-2.el9_8
fixed
osbuild-composer-core
RHEL 9
0:165.1-2.el9_8
fixed
osbuild-composer-worker
RHEL 9
0:165.1-2.el9_8
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://go.dev/cl/752182
https://go.dev/issue/77952
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4599