CVE-2026-27137
published 2026-03-06CVE-2026-27137: When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.61%
44.5th percentile
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.19 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.24 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.25 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| debian | golang-1.26 | < golang-1.26 1.26.1-1 (forky) | golang-1.26 1.26.1-1 (forky) |
| go_standard_library | crypto_x509 | >= 1.26.0-0 < 1.26.1 | 1.26.1 |
| golang | go | — | — |
| msrc | azl3_golang_1.25.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.26.0-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7hfw-r8qc-89v4: When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but di
ghsa_unreviewed·2026-03-07
CVE-2026-27137 [HIGH] GHSA-7hfw-r8qc-89v4: When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but di
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
OSV
CVE-2026-27137: When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but di
osv·2026-03-06·CVSS 7.5
CVE-2026-27137 [HIGH] CVE-2026-27137: When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but di
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
OSV
Incorrect enforcement of email constraints in crypto/x509
osv·2026-03-06
CVE-2026-27137 Incorrect enforcement of email constraints in crypto/x509
Incorrect enforcement of email constraints in crypto/x509
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Microsoft
Incorrect enforcement of email constraints in crypto/x509
vendor_msrc·2026-03-10·CVSS 5.9
CVE-2026-27137 [HIGH] Incorrect enforcement of email constraints in crypto/x509
Incorrect enforcement of email constraints in crypto/x509
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
crypto/x509: Incorrect enforcement of email constraints in crypto/x509
vendor_redhat·2026-03-06·CVSS 7.5
CVE-2026-27137 [HIGH] CWE-295 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
crypto/x509: Incorrect enforcement of email constraints in crypto/x509
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Mitigation: Mitigation for this issue is either not available or the currently available options d
Debian
CVE-2026-27137: golang-1.15 - When verifying a certificate chain which contains a certificate containing multi...
vendor_debian·2026·CVSS 7.5
CVE-2026-27137 [HIGH] CVE-2026-27137: golang-1.15 - When verifying a certificate chain which contains a certificate containing multi...
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27137 [HIGH] CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27137 :
Grafana vulnerability analysis and mitigation
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-misc
container-tools:rhel8::buildah
Sources
NVD
Alpine 3.23 Severity HIGH Has Fix Added at: Mar 0
Wiz
CVE-2025-6010 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-6010 [HIGH] CVE-2025-6010 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-6010 :
HashiCorp Vault vulnerability analysis and mitigation
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Source : NVD
Published February 10, 2026
Severity MEDIUM
CNA Score N/A
High-profile Vulnerability Yes
Affected Technologies
HashiCorp Vault
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:hashicorp:vault
Sources
Linux Severity MEDIUM Has Fix Added at: Aug 13, 2025
Windows Severity MEDIUM Has Fix Added at: Aug 13, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2026-26958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-26958 [LOW] CVE-2026-26958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26958 :
HashiCorp Vault vulnerability analysis and mitigation
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 o
Wiz
CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27138 [HIGH] CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27138 :
HashiCorp Vault vulnerability analysis and mitigation
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Source : NVD
## 5.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
HashiCorp Vault
Prometheus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aws-otel-collector
gitlab-runner-fips-18.9
Sources
NVD
Alpine edge Severity MEDIUM Has Fix Added a
Bugzilla
CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
bugzilla·2026-03-06·CVSS 7.5
CVE-2026-27137 [HIGH] CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
https://go.dev/cl/752182https://go.dev/issue/77952https://groups.google.com/g/golang-announce/c/EdhZqrQ98hkhttps://pkg.go.dev/vuln/GO-2026-4599https://access.redhat.com/errata/RHSA-2026:10125https://access.redhat.com/errata/RHSA-2026:10158https://access.redhat.com/errata/RHSA-2026:10169https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:10225https://access.redhat.com/errata/RHSA-2026:10250https://access.redhat.com/errata/RHSA-2026:10929https://access.redhat.com/errata/RHSA-2026:11800https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:14879https://access.redhat.com/errata/RHSA-2026:19022https://access.redhat.com/errata/RHSA-2026:19049https://access.redhat.com/errata/RHSA-2026:19132https://access.redhat.com/errata/RHSA-2026:19181https://access.redhat.com/errata/RHSA-2026:19375https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:22423https://access.redhat.com/errata/RHSA-2026:22450https://access.redhat.com/errata/RHSA-2026:22714https://access.redhat.com/errata/RHSA-2026:22862https://access.redhat.com/errata/RHSA-2026:22937https://access.redhat.com/errata/RHSA-2026:23228https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/errata/RHSA-2026:26568https://access.redhat.com/errata/RHSA-2026:26585https://access.redhat.com/errata/RHSA-2026:28038https://access.redhat.com/errata/RHSA-2026:28047https://access.redhat.com/errata/RHSA-2026:29854https://access.redhat.com/errata/RHSA-2026:5110https://access.redhat.com/errata/RHSA-2026:5549https://access.redhat.com/errata/RHSA-2026:7291https://access.redhat.com/errata/RHSA-2026:8151https://access.redhat.com/errata/RHSA-2026:8167https://access.redhat.com/errata/RHSA-2026:8337https://access.redhat.com/errata/RHSA-2026:8338https://access.redhat.com/errata/RHSA-2026:8842https://access.redhat.com/errata/RHSA-2026:9052https://access.redhat.com/errata/RHSA-2026:9385https://access.redhat.com/errata/RHSA-2026:9697https://access.redhat.com/errata/RHSA-2026:9698https://access.redhat.com/errata/RHSA-2026:9699https://access.redhat.com/errata/RHSA-2026:9872https://access.redhat.com/security/cve/CVE-2026-27137https://bugzilla.redhat.com/show_bug.cgi?id=2445345https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27137.json
2026-03-06
Published