Certificate Verification Flaw in Go's Cryptography Module
CVE-2026-27137

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 6 March 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-27137?

A flaw in the certificate verification process of Go's cryptography module has been identified, where it fails to properly apply multiple email address constraints in a certificate chain. When dealing with certificates that have local portions that are identical yet differ in their domain portions, only the last specified constraint is acknowledged. This vulnerability could potentially lead to misconfigured security policies, allowing unintended access or verification issues, thus posing a risk to applications reliant on accurate certificate validation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

crypto/x509 1.26.0-0 < 1.26.1

References

https://go.dev/cl/752182

https://go.dev/issue/77952

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Feb 17, 2026

Credit

Jakub Ciolek

JSON

Go Standard Library

What is CVE-2026-27137?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.