Fluid Attacks Database

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=1.26.0-0 <1.26.1	1.26.1
debian 14	golang-1.26	=1.26.0-1 \|\| =1.26~rc2-1 \|\| =1.26~rc3-1 \|\| =1.26~rc3-2 \|\| >=0 <1.26.1-1	1.26.1-1
rpm rhel10	butane	-	-
rpm rhel10	rhc-worker-playbook	<0:0.2.3-4.el10_1 \|\| >=0:0.2.7, <0:0.2.7-3.el10_2	0:0.2.7-3.el10_2
rpm rhel9	podman	-	-
rpm rhel9	conmon	-	-
rpm rhel10	osbuild-composer	<0:165.1-2.el10_2	0:165.1-2.el10_2
rpm rhel10	yggdrasil	-	-
rpm rhel10	bootc-image-builder	-	-
rpm rhel9	butane	-	-

1-10 of 37

Aliases

1. CVE-2026-271372. NVD-2026-271373. OSV-GO-2026-45994. OSV-2026-271375. OSV-DEBIAN-2026-271376. GCVE-2026-271377. SECURITY-TRACKER-CVE-2026-27137

References

1. https://go.dev/cl/7521822. https://go.dev/issue/779523. https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk