CVE-2026-27137

Publication date 9 March 2026

Last updated 9 March 2026

Ubuntu priority

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
golang-1.24	25.10 questing	Needs evaluation
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
golang-1.25	25.10 questing	Needs evaluation
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
golang-1.26	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-27137
https://github.com/golang/go/issues/77952
https://go.dev/cl/752182
https://go.dev/issue/77952
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4599