Bug 2445345 (CVE-2026-27137)

Summary: CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, akostadi, akoudelk, alcohan, alebedev, alizardo, amasferr, anjoseph, anpicker, ansmith, anthomas, bbrownin, bdettelb, bparees, chfoley, ckandaga, cmah, crizzo, dhanak, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, ggainey, ggrzybek, gparvin, hasun, ibolton, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jprabhak, jpretori, jraez, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, manissin, mbocek, mburns, mgarciac, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, parichar, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, syedriko, tasato, teagle, thason, tmalecek, tsedmik, veshanka, vimartin, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2446047    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-06 22:02:01 UTC 
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Comment 8 errata-xmlrpc 2026-04-20 00:34:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:8842 https://access.redhat.com/errata/RHSA-2026:8842
Comment 9 errata-xmlrpc 2026-04-23 17:46:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:10169 https://access.redhat.com/errata/RHSA-2026:10169
Comment 10 errata-xmlrpc 2026-04-27 13:50:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:10929 https://access.redhat.com/errata/RHSA-2026:10929