Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1.
AnalysisAI
Certificate validation bypass in Botan 3.11.0 allows unauthenticated remote attackers to impersonate trusted certificate authorities by presenting end-entity certificates with matching Distinguished Names and subject key identifiers. The flaw in Certificate_Store::certificate_known incorrectly accepts malicious certificates as trusted roots without verifying actual certificate identity, enabling complete TLS/PKI chain validation bypass. This affects only version 3.11.0 and is fixed in 3.11.1. EPSS data not available; no public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N).
Technical ContextAI
Botan is a widely-used C++ cryptography library providing TLS, X.509, and public key infrastructure capabilities. The vulnerability resides in the Certificate_Store::certificate_known function introduced in version 3.11.0, which performs certificate validation during TLS handshakes and X.509 path building. The function was designed to check if a certificate exists in the trusted store but implemented flawed comparison logic-it matched only the Distinguished Name (DN) and optional Subject Key Identifier (SKI) fields rather than performing cryptographic verification of the entire certificate structure. This represents CWE-295 (Improper Certificate Validation), a critical flaw in PKI trust anchor verification. When path validation logic was extended in 3.11.0 to optimize lookups, it incorrectly assumed certificate_known performed identity verification rather than merely attribute matching. The affected product CPE is cpe:2.3:a:randombit:botan:3.11.0, indicating a single-version regression rather than longstanding architectural weakness.
RemediationAI
Upgrade immediately to Botan version 3.11.1, which corrects the Certificate_Store::certificate_known logic to verify complete certificate identity rather than solely DN and SKI attribute matching. The vendor-released patch is available through standard Botan distribution channels and documented in GitHub Security Advisory GHSA-v782-6fq4-q827 at https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827. Organizations running version 3.11.0 in production should treat this as an emergency upgrade due to the trivial exploit path and critical impact on TLS security. No workarounds are available; the only effective remediation is version upgrade. For systems unable to immediately upgrade, consider temporarily reverting to Botan 3.10.x stable releases until 3.11.1 deployment is feasible, though this may require code compatibility assessment. Verify patch application by confirming installed version reports 3.11.1 or later and review application logs for any suspicious certificate validation failures that may indicate prior exploitation attempts.
Integer overflow in the PointGFp constructor in Botan before 1.10.11 and 1.11.x before 1.11.27 allows remote attackers t
Heap-based buffer overflow in the P-521 reduction function in Botan 1.11.x before 1.11.27 allows remote attackers to cau
A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string compariso
Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/d
Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils
The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery
Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of
botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote attackers t
The Curve25519 code in botan before 1.11.31, on systems without a native 128-bit integer type, might allow attackers to
In Botan 1.8.0 through 1.11.33, when decoding BER data an integer overflow could occur, which would cause an incorrect l
In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (base32, ba
Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as v
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19947