CVE-2026-27137
Published: 06 March 2026
Summary
CVE-2026-27137 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27137 is a vulnerability in the Go programming language's certificate chain verification process. When verifying a certificate chain that contains a certificate with multiple email address constraints sharing common local portions but different domain portions, these constraints are not properly applied, and only the last constraint is considered. This flaw, classified under CWE-295 (Improper Certificate Validation), affects the Go standard library's certificate handling components.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), making it exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Attackers can trigger the issue by presenting a specially crafted certificate chain during verification, resulting in a denial of service that impacts availability without compromising confidentiality or integrity.
Go project advisories recommend mitigation by updating to patched versions. The issue is detailed in the Go security announcement at https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk, with the fix implemented in change list https://go.dev/cl/752182 and tracked via issue https://go.dev/issue/77952. Further details are available in the Go vulnerability database at https://pkg.go.dev/vuln/GO-2026-4599.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10085
Vulnerability details
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely triggerable crash/DoS condition in Go's certificate chain validation logic (CWE-295) when processing crafted chains, directly enabling application-layer DoS via exploitation of the vulnerable verification code path.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws like CVE-2026-27137 by updating the Go standard library to patched versions that correctly handle multiple email address constraints in certificate chains.
Mandates validation of PKI certificates using defined processes and tools that properly enforce all email address constraints, preventing acceptance of crafted chains that trigger DoS.
Scans for vulnerabilities such as improper certificate validation in Go, enabling detection and prioritization for patching to mitigate the DoS risk.