CVE-2026-27137

NameCVE-2026-27137
DescriptionWhen verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4fixed
golang-1.19 (PTS)bookworm1.19.8-2fixed
golang-1.24 (PTS)trixie1.24.4-1fixed
forky, sid1.24.13-2fixed
golang-1.25 (PTS)forky, sid1.25.8-1fixed
golang-1.26 (PTS)forky, sid1.26.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.15source(unstable)(not affected)
golang-1.19source(unstable)(not affected)
golang-1.24source(unstable)(not affected)
golang-1.25source(unstable)(not affected)
golang-1.26source(unstable)1.26.1-1

Notes

- golang-1.25 <not-affected> (Vulnerable code not present)
- golang-1.24 <not-affected> (Vulnerable code not present)
- golang-1.19 <not-affected> (Vulnerable code not present)
- golang-1.15 <not-affected> (Vulnerable code not present)
https://github.com/golang/go/issues/77952
Fixed by: https://github.com/golang/go/commit/a761c9ff70fec8e1089897eebd104a8f31cff2d3 (go1.26.1)
Search for package or bug name: Reporting problems