CVE-2026-27137 — Incorrect enforcement of email constraints in crypto/x509

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

How to fix CVE-2026-27137

To remediate CVE-2026-27137, upgrade the affected package to a fixed version below.

—upgrade to 1.26.1 or later
—upgrade to 1.26.1-1 or later
—upgrade to 1.26.1 or later

Is CVE-2026-27137 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.26.0-0, < 1.26.1
from 0, < 1.26.1-1
>= 1.26.0-0, < 1.26.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-27137
PATCHgo.dev/cl/752182
REPORTgo.dev/issue/77952
WEBgroups.google.com/g/golang-announce/c/EdhZqrQ98hk
WEBnvd.nist.gov/vuln/detail/CVE-2026-27137