Go <1.26: crypto/x509 Email Constraint Bug
CVE-2026-27137 Published on March 6, 2026

Incorrect enforcement of email constraints in crypto/x509
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

NVD

Vulnerability Analysis

CVE-2026-27137 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.


Products Associated with CVE-2026-27137

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Openstack
 
Red Hat Enterprise Linux Eus
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Rhel Eus
 
Red Hat Devworkspace
 
Red Hat Logging
 
Red Hat Multicluster Globalhub
 
Red Hat Openshift Api Data Protection
 
Red Hat Acm
 
Red Hat Ansible Automation Platform
 
Red Hat Hummingbird
 
Red Hat Lightspeed For Runtimes
 
Red Hat Openshift Ai
 
Red Hat Openshift Builds
 
Red Hat Openshift Devspaces
 
Red Hat Openshift Gitops
 
Red Hat Openshift Distributed Tracing
 
Red Hat Quay
 
Red Hat Satellite
 
Red Hat Trusted Artifact Signer
 
Red Hat Webterminal
 
Red Hat Assisted Installer
 
Red Hat Confidential Compute Attestation
 
Red Hat Deployment Validator Operator
 
Red Hat Ext Dns Optr
 
Red Hat Workload Availability Far
 
Red Hat Gatekeeper
 
Red Hat Lvms
 
Red Hat Migration Toolkit Applications
 
Red Hat Rhmt
 
Red Hat Mirror Registry
 
Red Hat Ocp Tools
 
Red Hat Openshift Lightspeed
 
Red Hat Openshift Pipelines
 
Red Hat Serverless
 
Red Hat 3scale Amp
 
Red Hat Apache Camel Hawtio
 
Red Hat Certifications
 
Red Hat Connectivity Link
 
Red Hat Rhdh
 
Red Hat Edge Manager
 
Red Hat Enterprise Linux Ai
 
Red Hat Openshift Cluster Manager Cli
 
Red Hat Openshift
 
Red Hat Openshift Data Foundation
 
Red Hat Openshift Service On Aws
 
Red Hat Amq Streams
 
Red Hat Zero Trust Workload Identity Manager
 
Red Hat Cert Manager
 
Red Hat Openshift Compliance Operator
 
Red Hat Cryostat
 
Red Hat Openshift Custom Metrics Autoscaler
 
Red Hat External Secrets Operator
 
Red Hat Openshift File Integrity Operator
 
Red Hat Workload Availability Mdr
 
Red Hat Multicluster Engine
 
Red Hat Network Observ Optr
 
Red Hat Workload Availability Nhc
 
Red Hat Service Mesh
 
Red Hat Openshift Power Monitoring
 
Red Hat Advanced Cluster Security
 
Red Hat Windows Machine Config
 
Red Hat Container Native Virtualization
 
Red Hat Service Interconnect
 
Red Hat Openshift Security Profiles Operator
 
Red Hat Stf
 

Affected Versions

Go standard library crypto/x509: Red Hat OpenStack Platform 17.1: Red Hat Enterprise Linux AppStream EUS (v. 10.0): Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream EUS (v.9.6): Red Hat Enterprise Linux AppStream (v. 9): Red Hat DevWorkspace Operator 0.4: Logging Subsystem for Red Hat OpenShift 6.0: Logging Subsystem for Red Hat OpenShift 6.2: Logging Subsystem for Red Hat OpenShift 6.4: Red Hat Multicluster Global Hub 1.3.4: Red Hat Multicluster Global Hub 1.4.5: Red Hat Multicluster Global Hub 1.5.4: Red Hat Multicluster Global Hub 1.6.2: Red Hat OpenShift API for Data Protection 1.4: Red Hat OpenShift API for Data Protection 1.5: Red Hat Advanced Cluster Management for Kubernetes 2.15: Red Hat Ansible Automation Platform 2.6: Red Hat Hardened Images: Red Hat Lightspeed (formerly Insights) for Runtimes 1: Red Hat OpenShift AI 2.25: Red Hat OpenShift Builds 1.6.5: Red Hat OpenShift Builds 1.7.3: Red Hat OpenShift Dev Spaces 3.27: Red Hat OpenShift GitOps 1.18: Red Hat OpenShift GitOps 1.19: Red Hat OpenShift GitOps 1.2: Red Hat OpenShift distributed tracing 3.9.3: Red Hat Quay 3.16: Red Hat Satellite 6.18: Red Hat Trusted Artifact Signer 1.3: Red Hat Web Terminal 1.11: Red Hat Web Terminal 1.12: Red Hat Web Terminal 1.13: Red Hat Web Terminal 1.14: Red Hat Web Terminal 1.15: Assisted Installer for Red Hat OpenShift Container Platform 2: Red Hat Confidential Compute Attestation: Red Hat Deployment Validation Operator: Red Hat ExternalDNS Operator: Red Hat Fence Agents Remediation Operator: Red Hat Gatekeeper 3: Logging Subsystem for Red Hat OpenShift: Red Hat Logical Volume Manager Storage: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Containers: mirror registry for Red Hat OpenShift: Red Hat OpenShift Developer Tools and Services: Red Hat OpenShift Lightspeed: Red Hat OpenShift Pipelines: Red Hat OpenShift Serverless: Red Hat 3scale API Management Platform 2: Red Hat build of Apache Camel - HawtIO 4: Red Hat Certification Program for Red Hat Enterprise Linux 9: Red Hat Connectivity Link 1: Red Hat Developer Hub: Red Hat Edge Manager 1: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat OpenShift Cluster Manager CLI: Red Hat OpenShift Container Platform 4: Red Hat Openshift Data Foundation 4: Red Hat OpenShift on AWS: Red Hat OpenStack Platform 16.2: Red Hat OpenStack Platform 18.0: Red Hat Quay 3: Red Hat Satellite 6: Red Hat streams for Apache Kafka 3: Red Hat Zero Trust Workload Identity Manager: Red Hat Zero Trust Workload Identity Manager - Tech Preview: cert-manager Operator for Red Hat OpenShift: Red Hat Compliance Operator: Red Hat Cryostat 4: Custom Metric Autoscaler operator for Red Hat Openshift: External Secrets Operator for Red Hat OpenShift: Red Hat File Integrity Operator: Red Hat Machine Deletion Remediation Operator: mirror registry for Red Hat OpenShift 2: Red Hat Multicluster Engine for Kubernetes: Red Hat Network Observability Operator: Red Hat Node HealthCheck Operator: Red Hat OpenShift Service Mesh 2: Red Hat OpenShift Service Mesh 3: Power monitoring for Red Hat OpenShift: Red Hat Advanced Cluster Security 4: Red Hat Ansible Automation Platform 2: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift for Windows Containers: Red Hat OpenShift Virtualization 4: Red Hat Service Interconnect 1: Red Hat Service Interconnect 2: Red Hat Security Profiles Operator: Red Hat Service Telemetry Framework 1.5:

Exploit Probability

EPSS
0.36%
Percentile
27.49%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.