Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.
AnalysisAI
Botan cryptography library versions prior to 3.11.0 fail to properly validate X.509 certificate DNS name constraints due to case-sensitive comparison of the Common Name field, allowing attackers to present certificates with mixed-case Common Names that bypass name constraint restrictions and potentially establish unauthorized secure connections to restricted domains.
Technical ContextAI
Botan is a C++ cryptography library used for SSL/TLS and certificate validation. The vulnerability exists in the X.509 certificate path validation logic that processes name constraints, specifically the excludedSubtrees constraint as defined in RFC 5280. When an end-entity certificate lacks a Subject Alternative Name (SAN) extension, RFC 5280 technically does not require validation of the Common Name (CN) against name constraints; however, Botan implements this additional check. The root cause (CWE-295: Improper Certificate Validation) stems from a case-sensitive string comparison when evaluating whether a CN matches a DNS name constraint. RFC 5280 specifies that DNS name comparisons must be performed in a case-insensitive manner. A certificate with CN=Sub.EVIL.COM would bypass an excludedSubtrees constraint for evil.com because the uppercase characters in the CN do not match the lowercase constraint during the case-sensitive comparison, allowing the certificate to be incorrectly validated as compliant with the constraint.
RemediationAI
The primary remediation is to upgrade Botan to version 3.11.0 or later, which patches the case-sensitive comparison issue by implementing case-insensitive DNS name validation consistent with RFC 5280 requirements. Organizations unable to immediately upgrade should review their certificate validation configurations and consider disabling name constraint enforcement if it is not critical to their security posture, though this is not recommended for PKI infrastructure. System administrators should audit any certificates currently in use that were issued with name constraints to ensure no mixed-case CN values were accepted during validation. The patch is available in the official Botan GitHub repository (https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5).
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17212