Incorrect enforcement of email constraints in crypto/x509

GO-2026-4599 · BIT-golang-2026-27137 · CVE-2026-27137

Published Mar 6, 2026 · Modified Jun 5, 2026

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

References

FIX https://go.dev/cl/752182
REPORT https://go.dev/issue/77952
WEB https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes