Plataforma
go
Componente
stdlib
Corrigido em
1.26.1
1.26.1
CVE-2026-27137 describes a certificate validation vulnerability within the Go standard library (stdlib). This flaw allows attackers to bypass validation checks by exploiting how email address constraints within certificates are handled. Affected versions are those prior to 1.26.1; upgrading to this version resolves the issue. The vulnerability stems from improper handling of multiple email address constraints sharing common local portions but differing domain portions.
The core impact of CVE-2026-27137 lies in the potential for man-in-the-middle (MITM) attacks. An attacker can craft a malicious certificate chain where the email address constraints are designed to bypass validation. This allows the attacker to impersonate a legitimate server, intercepting and potentially modifying traffic between a client and the intended server. The blast radius is significant, impacting any application relying on Go's certificate validation routines for secure communication, such as TLS connections. This could affect web servers, API clients, and any other service utilizing certificate-based authentication.
CVE-2026-27137 was publicly disclosed on 2026-03-06. There are currently no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It's crucial to prioritize patching due to the potential for MITM attacks and the relative ease of crafting malicious certificates.
Applications built using Go and relying on the standard library's certificate validation routines are at risk. This includes web servers, API clients, and any service utilizing TLS connections. Systems using older Go versions and lacking robust certificate pinning policies are particularly vulnerable.
disclosure
Status do Exploit
EPSS
0.01% (percentil 2%)
The primary mitigation for CVE-2026-27137 is to upgrade to Go version 1.26.1 or later. This version includes a fix that correctly handles email address constraints during certificate chain validation. If upgrading is not immediately feasible, consider implementing stricter certificate pinning policies within your applications to limit the certificates that are trusted. While not a direct fix, this can reduce the attack surface. Thoroughly review your application's certificate validation logic to ensure it adheres to best practices and doesn't rely on potentially flawed assumptions.
Atualize a biblioteca crypto/x509 para a versão 1.26.1 ou posterior. Isso corrigirá a validação incorreta das restrições de email em certificados X.509.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27137 is a vulnerability in the Go standard library where certificate validation fails when handling multiple email address constraints, potentially allowing MITM attacks.
You are affected if you are using Go versions prior to 1.26.1 and rely on the standard library's certificate validation routines for secure communication.
Upgrade to Go version 1.26.1 or later to resolve the vulnerability. Consider implementing certificate pinning as an additional security measure.
As of now, there are no publicly known active exploits for CVE-2026-27137, but it's crucial to patch proactively.
Refer to the official Go security advisory for detailed information and updates: [https://go.dev/security](https://go.dev/security)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.