CVE-2026-3833
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk43th percentile - higher than 43% of all known CVEs
Summary
A flaw was found in GnuTLS where case-sensitive comparisons of nameConstraints labels for dNSName and rfc822Name allow a remote attacker to bypass policy by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN). This can lead to unauthorized access or information disclosure.
Risk Assessment
The risk involves bypassing security policies based on name constraints, potentially resulting in unauthorized access to systems or disclosure of sensitive information.
Recommendation
Update GnuTLS to a patched version that fixes case-sensitive comparisons in name constraints. Until updated, restrict trust to certificates from untrusted sources.
Original NVD description (English source)
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

