data/osv/GO-2026-4599.json - vulndb - Git at Google

 {
   "schema_version": "1.3.1",
   "id": "GO-2026-4599",
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
     "CVE-2026-27137"
   ],
   "summary": "Incorrect enforcement of email constraints in crypto/x509",
   "details": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.",
   "affected": [
     {
       "package": {
         "name": "stdlib",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "1.26.0-0"
             },
             {
               "fixed": "1.26.1"
             }
           ]
         }
       ],
       "ecosystem_specific": {
         "imports": [
           {
             "path": "crypto/x509",
             "symbols": [
               "Certificate.Verify",
               "checkChainConstraints",
               "checkConstraints",
               "emailConstraints.query",
               "newEmailConstraints",
               "parseMailboxes"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://go.dev/cl/752182"
     },
     {
       "type": "REPORT",
       "url": "https://go.dev/issue/77952"
     },
     {
       "type": "WEB",
       "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
     }
   ],
   "credits": [
     {
       "name": "Jakub Ciolek"
     }
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2026-4599",
     "review_status": "REVIEWED"
   }
 }
	{
	"schema_version": "1.3.1",
	"id": "GO-2026-4599",
	"modified": "0001-01-01T00:00:00Z",
	"published": "0001-01-01T00:00:00Z",
	"aliases": [
	"CVE-2026-27137"
	],
	"summary": "Incorrect enforcement of email constraints in crypto/x509",
	"details": "When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.",
	"affected": [
	{
	"package": {
	"name": "stdlib",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "1.26.0-0"
	},
	{
	"fixed": "1.26.1"
	}
	]
	}
	],
	"ecosystem_specific": {
	"imports": [
	{
	"path": "crypto/x509",
	"symbols": [
	"Certificate.Verify",
	"checkChainConstraints",
	"checkConstraints",
	"emailConstraints.query",
	"newEmailConstraints",
	"parseMailboxes"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://go.dev/cl/752182"
	},
	{
	"type": "REPORT",
	"url": "https://go.dev/issue/77952"
	},
	{
	"type": "WEB",
	"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
	}
	],
	"credits": [
	{
	"name": "Jakub Ciolek"
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2026-4599",
	"review_status": "REVIEWED"
	}
	}