GO-2026-4599

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-4599

Import Source

https://vuln.go.dev/ID/GO-2026-4599.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-4599

Aliases

BIT-golang-2026-27137
CVE-2026-27137

Related

CGA-rq3j-hw6w-7wc2

Published

2026-03-06T21:03:42Z

Modified

2026-03-10T10:43:55.571358Z

Summary

Incorrect enforcement of email constraints in crypto/x509

Details

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-4599"
}

References

Credits

- Jakub Ciolek

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

1.26.0-0

Fixed

1.26.1

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "Certificate.Verify",
                "checkChainConstraints",
                "checkConstraints",
                "emailConstraints.query",
                "newEmailConstraints",
                "parseMailboxes"
            ],
            "path": "crypto/x509"
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-4599.json"