CVE-2026-27137: Incorrect enforcement of email constraints in crypto/x509
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Security readout for executives and security teams
Plain-English summary
This flaw affects Go's certificate validation library. In a narrow email-certificate case, multiple email constraints can be enforced incorrectly, so validation may rely only on the last matching constraint. Organizations using Go for certificate-chain verification should treat this as important, but the provided sources do not show active exploitation.
Executive priority
Prioritize assessment and patch planning for systems where Go validates certificates for trust decisions. The issue is high severity, but urgency is reduced if the environment does not process email-constrained certificate chains and no exploitation evidence is available.
Technical view
In Go standard library crypto/x509, certificate chains with multiple email address constraints sharing the same local portion but different domains may not apply all constraints. The CVE maps to CWE-295 and CVSS 7.5. The bundle identifies affected package crypto/x509 and version 1.26.0-0, with Go and Red Hat advisories referenced.
Likely exposure
Exposure is most likely in Go applications or bundled products that use crypto/x509 to verify certificate chains involving email address name constraints. The provided bundle does not identify broader affected products beyond Go standard library crypto/x509 and Red Hat advisory tracking.
Exploitation context
The CVE is not listed as KEV in the provided bundle. No cited source in the bundle states active exploitation. Practical impact depends on whether an application validates certificate chains containing the specific email constraint pattern.
Researcher notes
The key behavior is constraint collapse: multiple email constraints with common local portions and different domains may leave only the last constraint effective. Validate against vendor advisories before assigning affected status because the bundle provides limited version detail.
Mitigation direction
Review Go advisory GO-2026-4599 and Go announcement for fixed release guidance.
Apply relevant vendor updates from Go or Red Hat when applicable.
Inventory Go applications that perform certificate-chain verification with crypto/x509.
Prioritize externally exposed trust-validation paths and packaged Go runtimes.
Validation and detection
Identify deployed Go versions and packaged Go runtime sources.
Search dependency and build records for crypto/x509 certificate verification use.
Review certificate validation tests covering email name constraints.
Confirm applicable Red Hat errata status for managed platforms.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-295: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-295 · source CWE mapping
Improper Certificate Validation
Improper Certificate Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.