CVE Catalog

CVE-2026-9648

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

5th percentile — higher than 5% of all known CVEs

Summary

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees.

Risk Assessment

This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Recommendation

It is recommended to update the library to the latest version that fixes the enforcement of X.509 NameConstraints and to review and verify TLS certificates.

Original NVD description (English source)

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS