Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Multiple Email Address Constraints in Certificates Cause Incorrect Validation
UBUNTU-CVE-2026-27137
Summary
Certificate validation may be compromised if a certificate contains multiple email address constraints with similar local parts but different domain names. This could allow attackers to spoof email addresses. Update the affected software to ensure proper validation of email address constraints.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | golang-1.24 | All versions | – |
| canonical | golang-1.25 | All versions | – |
Original title
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will...
Original description
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
- https://ubuntu.com/security/CVE-2026-27137 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-27137 Third Party Advisory
- https://github.com/golang/go/issues/77952 Third Party Advisory
- https://go.dev/cl/752182 Third Party Advisory
- https://go.dev/issue/77952 Third Party Advisory
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk Third Party Advisory
- https://pkg.go.dev/vuln/GO-2026-4599 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026