CVE-2026-27137

HIGH 7.5

Incorrect enforcement of email constraints in crypto/x509

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Vendor	go standard library
Product	crypto/x509
Published	Mar 6, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for go standard library crypto/x509

Be the first to know when new high vulnerabilities affecting go standard library crypto/x509 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Go standard library / crypto/x509

1.26.0-0 < 1.26.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

go.dev: https://go.dev/cl/752182 go.dev: https://go.dev/issue/77952 groups.google.com: https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4599

Credits

Jakub Ciolek