Skip to main content

Red Hat CVE-2026-32884

| EUVDEUVD-2026-17212 MEDIUM
Improper Certificate Validation (CWE-295)
2026-03-30 GitHub_M
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.11.0
EUVD ID Assigned
Mar 30, 2026 - 21:00 euvd
EUVD-2026-17212
Analysis Generated
Mar 30, 2026 - 21:00 vuln.today
CVE Published
Mar 30, 2026 - 20:36 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.

AnalysisAI

Botan cryptography library versions prior to 3.11.0 fail to properly validate X.509 certificate DNS name constraints due to case-sensitive comparison of the Common Name field, allowing attackers to present certificates with mixed-case Common Names that bypass name constraint restrictions and potentially establish unauthorized secure connections to restricted domains.

Technical ContextAI

Botan is a C++ cryptography library used for SSL/TLS and certificate validation. The vulnerability exists in the X.509 certificate path validation logic that processes name constraints, specifically the excludedSubtrees constraint as defined in RFC 5280. When an end-entity certificate lacks a Subject Alternative Name (SAN) extension, RFC 5280 technically does not require validation of the Common Name (CN) against name constraints; however, Botan implements this additional check. The root cause (CWE-295: Improper Certificate Validation) stems from a case-sensitive string comparison when evaluating whether a CN matches a DNS name constraint. RFC 5280 specifies that DNS name comparisons must be performed in a case-insensitive manner. A certificate with CN=Sub.EVIL.COM would bypass an excludedSubtrees constraint for evil.com because the uppercase characters in the CN do not match the lowercase constraint during the case-sensitive comparison, allowing the certificate to be incorrectly validated as compliant with the constraint.

RemediationAI

The primary remediation is to upgrade Botan to version 3.11.0 or later, which patches the case-sensitive comparison issue by implementing case-insensitive DNS name validation consistent with RFC 5280 requirements. Organizations unable to immediately upgrade should review their certificate validation configurations and consider disabling name constraint enforcement if it is not critical to their security posture, though this is not recommended for PKI infrastructure. System administrators should audit any certificates currently in use that were issued with name constraints to ensure no mixed-case CN values were accepted during validation. The patch is available in the official Botan GitHub repository (https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed

Share

CVE-2026-32884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy