CVE-2026-27137

EUVD-2026-10085
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
1.15.15-1~deb11u4
fixed
golang-1.19
bookworm
1.19.8-2
fixed
golang-1.24
forky
1.24.13-2
fixed
sid
1.24.13-2
fixed
trixie
1.24.4-1
fixed
golang-1.25
forky
1.25.9-1
fixed
sid
1.25.9-1
fixed
golang-1.26
forky
1.26.2-1
fixed
sid
1.26.2-1
fixed
Vulnerability Media Exposure
References
https://go.dev/cl/752182
https://go.dev/issue/77952
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4599