Cyber Resilience

CVE-2026-27137

High

Published: 06 March 2026

Published
06 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 3.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27137 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27137 is a vulnerability in the Go programming language's certificate chain verification process. When verifying a certificate chain that contains a certificate with multiple email address constraints sharing common local portions but different domain portions, these constraints are not properly applied, and only the last constraint is considered. This flaw, classified under CWE-295 (Improper Certificate Validation), affects the Go standard library's certificate handling components.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), making it exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Attackers can trigger the issue by presenting a specially crafted certificate chain during verification, resulting in a denial of service that impacts availability without compromising confidentiality or integrity.

Go project advisories recommend mitigation by updating to patched versions. The issue is detailed in the Go security announcement at https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk, with the fix implemented in change list https://go.dev/cl/752182 and tracked via issue https://go.dev/issue/77952. Further details are available in the Go vulnerability database at https://pkg.go.dev/vuln/GO-2026-4599.

EU & UK References

Vulnerability details

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remotely triggerable crash/DoS condition in Go's certificate chain validation logic (CWE-295) when processing crafted chains, directly enabling application-layer DoS via exploitation of the vulnerable verification code path.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32281Same product: Golang Go
CVE-2026-25679Same product: Golang Go
CVE-2026-32283Same product: Golang Go
CVE-2025-68121Same product: Golang Go
CVE-2026-33810Same product: Golang Go
CVE-2026-32280Same product: Golang Go
CVE-2025-61726Same product: Golang Go
CVE-2026-27144Same product: Golang Go
CVE-2025-61731Same product: Golang Go
CVE-2026-27143Same product: Golang Go

Affected Assets

golang
go
1.26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like CVE-2026-27137 by updating the Go standard library to patched versions that correctly handle multiple email address constraints in certificate chains.

prevent

Mandates validation of PKI certificates using defined processes and tools that properly enforce all email address constraints, preventing acceptance of crafted chains that trigger DoS.

detectrespond

Scans for vulnerabilities such as improper certificate validation in Go, enabling detection and prioritization for patching to mitigate the DoS risk.

References