CVE-2026-27137
Published: 06 March 2026
Summary
CVE-2026-27137 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
When certificates are used to establish component provenance, the control requires correct certificate validation procedures.
Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely triggerable crash/DoS condition in Go's certificate chain validation logic (CWE-295) when processing crafted chains, directly enabling application-layer DoS via exploitation of the vulnerable verification code path.
NVD Description
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Deeper analysisAI
CVE-2026-27137 is a vulnerability in the Go programming language's certificate chain verification process. When verifying a certificate chain that contains a certificate with multiple email address constraints sharing common local portions but different domain portions, these constraints are not properly applied, and only the last constraint is considered. This flaw, classified under CWE-295 (Improper Certificate Validation), affects the Go standard library's certificate handling components.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), making it exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Attackers can trigger the issue by presenting a specially crafted certificate chain during verification, resulting in a denial of service that impacts availability without compromising confidentiality or integrity.
Go project advisories recommend mitigation by updating to patched versions. The issue is detailed in the Go security announcement at https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk, with the fix implemented in change list https://go.dev/cl/752182 and tracked via issue https://go.dev/issue/77952. Further details are available in the Go vulnerability database at https://pkg.go.dev/vuln/GO-2026-4599.
Details
- CWE(s)