{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27137", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.434Z", "datePublished": "2026-03-06T21:28:13.748Z", "dateUpdated": "2026-03-10T13:32:53.202Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-08T05:56:20.771Z"}, "title": "Incorrect enforcement of email constraints in crypto/x509", "descriptions": [{"lang": "en", "value": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "newEmailConstraints"}, {"name": "emailConstraints.query"}, {"name": "checkConstraints"}, {"name": "checkChainConstraints"}, {"name": "parseMailboxes"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295: Improper Certificate Validation"}]}], "references": [{"url": "https://go.dev/cl/752182"}, {"url": "https://go.dev/issue/77952"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4599"}], "credits": [{"lang": "en", "value": "Jakub Ciolek"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:32:09.097820Z", "id": "CVE-2026-27137", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:32:53.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:32:09.097820Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:32:37.164Z"}}], "cna": {"title": "Incorrect enforcement of email constraints in crypto/x509", "credits": [{"lang": "en", "value": "Jakub Ciolek"}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "versions": [{"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "crypto/x509", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "newEmailConstraints"}, {"name": "emailConstraints.query"}, {"name": "checkConstraints"}, {"name": "checkChainConstraints"}, {"name": "parseMailboxes"}, {"name": "Certificate.Verify"}]}], "references": [{"url": "https://go.dev/cl/752182"}, {"url": "https://go.dev/issue/77952"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4599"}], "descriptions": [{"lang": "en", "value": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-08T05:56:20.771Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27137", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:32:53.202Z", "dateReserved": "2026-02-17T19:57:28.434Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:13.748Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "A40FE3CB-0D03-462B-8A19-4DF1920ABE82", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered."}, {"lang": "es", "value": "Al verificar una cadena de certificados que contiene un certificado con m\u00faltiples restricciones de direcci\u00f3n de correo electr\u00f3nico que comparten porciones locales comunes pero porciones de dominio diferentes, estas restricciones no se aplicar\u00e1n correctamente, y solo la \u00faltima restricci\u00f3n ser\u00e1 considerada."}], "id": "CVE-2026-27137", "lastModified": "2026-04-21T14:40:31.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:00.850", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://go.dev/cl/752182"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/77952"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4599"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "crypto/x509: Incorrect enforcement of email constraints in crypto/x509", "id": "2445345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445345"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27137", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-06T21:28:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27137\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27137\nhttps://go.dev/cl/752182\nhttps://go.dev/issue/77952\nhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\nhttps://pkg.go.dev/vuln/GO-2026-4599"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.26.1)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "crypto/x509", "source": "cna", "vendor": "Go standard library"}, "product": "crypto_tls", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-16T11:06:55.230532+00:00", "value": {"mitigation_remediation": ["Upgrade the Go runtime to the latest stable release that incorporates the email constraint enforcement fix.", "Audit all Go\u2011based applications to ensure they use the updated crypto/x509 package before redeploying.", "Implement an explicit audit of email address constraints in certificate validation logic to detect any remaining unvalidated constraints, especially for applications that cannot be immediately recompiled."], "summary": {"action": "Patch Now", "impact": "Certificate impersonation due to bypassed email constraints"}, "threat_synthesis": {"affected_systems": "The affected product is the Go standard library\u2019s crypto/x509 package. Any Go application that uses the default certificate verification routines\u2014including web servers, HTTPS clients, email systems, and other services that validate X.509 certificates\u2014could be impacted. No specific version range is provided in the advisory, so all releases before the fix should be considered vulnerable until an update is applied.", "description_and_impact": "The Go standard library\u2019s crypto/x509 package contains a flaw that causes it to ignore all email address constraints except the last one when a certificate contains multiple constraints that share a local part but differ by domain. This defect allows a malicious certificate to bypass intended email address restrictions, enabling an attacker to forge a certificate that will be accepted as valid for an address it should not be allowed to represent. The vulnerability is classified as a CWE\u2011295 (Improper Restriction of Operations within the Bounds of a Memory Buffer or a Function).", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity risk, but the EPSS score of less than 1\u202f% shows that the current odds of exploitation are very low, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited in any context where a Go program accepts or validates certificates that include email constraints. An attacker could deliver a crafted certificate chain to a vulnerable application, tricking it into accepting a certificate that does not meet the intended email restrictions and potentially allowing impersonation or unauthorized access."}}}}, "created": "2026-03-09T10:06:46.142821+00:00", "updated": "2026-04-16T11:15:27.681974+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$crypto_tls"]}