cbcvebase.
CVE-2026-27137
published 2026-03-06

CVE-2026-27137: When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different…

PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.61%
44.5th percentile
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.26 1.26.1-1 (forky)golang-1.26 1.26.1-1 (forky)
debiangolang-1.19< golang-1.26 1.26.1-1 (forky)golang-1.26 1.26.1-1 (forky)
debiangolang-1.24< golang-1.26 1.26.1-1 (forky)golang-1.26 1.26.1-1 (forky)
debiangolang-1.25< golang-1.26 1.26.1-1 (forky)golang-1.26 1.26.1-1 (forky)
debiangolang-1.26< golang-1.26 1.26.1-1 (forky)golang-1.26 1.26.1-1 (forky)
go_standard_librarycrypto_x509>= 1.26.0-0 < 1.26.11.26.1
golanggo
msrcazl3_golang_1.25.7-1_on_azure_linux_3.0
msrcazl3_golang_1.26.0-1_on_azure_linux_3.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.