FKIE_CVE-2026-27137

Vulnerability from fkie_nvd - Published: 2026-03-06 22:16 - Updated: 2026-03-10 18:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
References
security@golang.orghttps://go.dev/cl/752182
security@golang.orghttps://go.dev/issue/77952
security@golang.orghttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
security@golang.orghttps://pkg.go.dev/vuln/GO-2026-4599
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered."
    },
    {
      "lang": "es",
      "value": "Al verificar una cadena de certificados que contiene un certificado con m\u00faltiples restricciones de direcci\u00f3n de correo electr\u00f3nico que comparten porciones locales comunes pero porciones de dominio diferentes, estas restricciones no se aplicar\u00e1n correctamente, y solo la \u00faltima restricci\u00f3n ser\u00e1 considerada."
    }
  ],
  "id": "CVE-2026-27137",
  "lastModified": "2026-03-10T18:18:44.163",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T22:16:00.850",
  "references": [
    {
      "source": "security@golang.org",
      "url": "https://go.dev/cl/752182"
    },
    {
      "source": "security@golang.org",
      "url": "https://go.dev/issue/77952"
    },
    {
      "source": "security@golang.org",
      "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
    },
    {
      "source": "security@golang.org",
      "url": "https://pkg.go.dev/vuln/GO-2026-4599"
    }
  ],
  "sourceIdentifier": "security@golang.org",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.