Bug 2445345 (CVE-2026-27137)

Summary: CVE-2026-27137 crypto/x509: Incorrect enforcement of email constraints in crypto/x509
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, akostadi, akoudelk, alcohan, alebedev, alizardo, amasferr, anjoseph, anpicker, ansmith, anthomas, bbrownin, bdettelb, bparees, chfoley, ckandaga, cmah, crizzo, dhanak, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, ggainey, ggrzybek, gparvin, hasun, ibolton, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jprabhak, jpretori, jraez, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, manissin, mbocek, mburns, mgarciac, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, parichar, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, syedriko, tasato, teagle, thason, tmalecek, tsedmik, veshanka, vimartin, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2446047    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-06 22:02:01 UTC 
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Comment 8 errata-xmlrpc 2026-04-20 00:34:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:8842 https://access.redhat.com/errata/RHSA-2026:8842
Comment 9 errata-xmlrpc 2026-04-23 17:46:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:10169 https://access.redhat.com/errata/RHSA-2026:10169
Comment 10 errata-xmlrpc 2026-04-27 13:50:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:10929 https://access.redhat.com/errata/RHSA-2026:10929
Comment 13 errata-xmlrpc 2026-05-19 13:02:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19022 https://access.redhat.com/errata/RHSA-2026:19022
Comment 14 errata-xmlrpc 2026-05-19 13:06:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19049 https://access.redhat.com/errata/RHSA-2026:19049
Comment 15 errata-xmlrpc 2026-05-19 16:05:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19132 https://access.redhat.com/errata/RHSA-2026:19132
Comment 16 errata-xmlrpc 2026-05-19 17:59:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19181 https://access.redhat.com/errata/RHSA-2026:19181
Comment 17 errata-xmlrpc 2026-06-02 11:08:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22450 https://access.redhat.com/errata/RHSA-2026:22450
Comment 18 errata-xmlrpc 2026-06-03 08:00:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22714 https://access.redhat.com/errata/RHSA-2026:22714
Comment 19 errata-xmlrpc 2026-06-03 18:49:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22937 https://access.redhat.com/errata/RHSA-2026:22937
Comment 20 errata-xmlrpc 2026-06-04 13:10:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:23228 https://access.redhat.com/errata/RHSA-2026:23228
Comment 21 errata-xmlrpc 2026-06-22 20:28:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:28038 https://access.redhat.com/errata/RHSA-2026:28038