Skip to main content

Red Hat Enterprise Linux 10 CVE-2026-42012

| EUVDEUVD-2026-32010 HIGH
Improper Certificate Validation (CWE-295)
2026-05-26 redhat
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.1
Analysis Generated
May 26, 2026 - 22:13 vuln.today

DescriptionCVE.org

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

AnalysisAI

Here is the multi-source synthesis for CVE-2026-42012:

json
{
  "product_name": "GnuTLS",
  "summary": "Improper certificate validation in GnuTLS (CWE-295) lets a remote attacker defeat TLS hostname verification by presenting a certificate that carries URI or SRV Subject Alternative Names, causing GnuTLS to incorrectly fall back to matching the connection's DNS hostname against the certificate's Common Name (CN) and enabling service spoofing or man-in-the-middle interception of sensitive data. The flaw was reported by Red Hat against GnuTLS as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, and carries a CVSS 3.1 base score of 7.1 driven by high integrity impact. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires the victim to initiate a connection to attacker-controlled infrastructure (UI:R).",
  "technical_context": "GnuTLS is a widely deployed open-source library implementing TLS/SSL and X.509 certificate handling, used by numerous applications and system components across the Red Hat ecosystem. During X.509 peer verification, RFC 6125 and modern practice require that a DNS hostname be matched against dNSName Subject Alternative Name (SAN) entries, and the deprecated CN-based matching should only occur when no relevant SAN is present. The root cause is classed as CWE-295 (Improper Certificate Validation): when a certificate presents only URI or SRV SAN entries (and no dNSName SAN), GnuTLS's logic incorrectly treats the absence of a *matching DNS* SAN as license to fall back to comparing the hostname against the CN, rather than failing the match. Because URI/SRV SANs are valid certificate fields that do not assert DNS identity, an attacker can populate them to suppress correct SAN-based matching while supplying an attacker-chosen CN, breaking the trust binding between the presented certificate and the requested hostname.",
  "risk_assessment": "The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, base 7.1) describes a network-reachable, low-complexity, unauthenticated flaw whose primary consequence is high integrity impact (spoofing/identity confusion) with only low confidentiality impact and no availability impact — consistent with a MITM/impersonation weakness rather than direct RCE. The UI:R element is significant: the victim client must initiate or be lured into a TLS connection that the attacker can intercept or answer, so this is not a fully autonomous remote exploit. No EPSS score was provided in the input, so exploitation probability cannot be quantified here; KEV status is not present (no active exploitation), and no POC was supplied, so there is no public exploit identified at time of analysis. Net assessment: a credible, real integrity risk for systems performing TLS hostname verification via GnuTLS — particularly in service-to-service and automated client contexts — but its practical severity is gated by the need for an attacker to be on-path or to redirect the victim, and by the application actually relying on GnuTLS hostname matching. Note one item to verify with the vendor: exact affected GnuTLS package versions are not enumerated in the provided data (only Red Hat product CPEs are given).",
  "affected_products": "The affected component is the GnuTLS library as distributed by Red Hat. Per the supplied CPE data, impacted products include Red Hat Enterprise Linux 6, 7, 8, 9, and 10 (cpe:2.3:a:red_hat:red_hat_enterprise_linux_6 through _10), Red Hat OpenShift Container Platform 4 (cpe:2.3:a:red_hat:red_hat_openshift_container_platform_4), and Red Hat Hardened Images (cpe:2.3:a:red_hat:red_hat_hardened_images). Specific fixed/affected GnuTLS package version ranges are not enumerated in the provided data and should be confirmed against the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-42012 and the tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2467441. Because GnuTLS is an upstream library, non-Red-Hat distributions and applications that bundle or link GnuTLS may also be affected even though only Red Hat products are listed in this intelligence set.",
  "remediation": "No vendor-released patch version is identified at time of analysis — the supplied references are the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-42012) and tracking bug (https://bugzilla.redhat.com/show_bug.cgi?id=2467441), neither of which carries an exact fixed package version in the provided data, so monitor those URLs and apply the updated gnutls packages via the standard distribution update mechanism (e.g. dnf/yum update gnutls and dependent libraries) as soon as Red Hat publishes errata. Until a fix is available, compensating controls include: configuring or modifying TLS clients to require a matching dNSName SAN and reject CN fallback entirely (many applications expose a strict-verification or no-CN-fallback option), which eliminates the bug's trigger but may break connections to legacy certificates that still rely on CN; pinning expected server certificates or CAs for high-value service-to-service connections so a swapped certificate is rejected regardless of SAN/CN logic, at the cost of higher operational overhead on certificate rotation; and restricting/segmenting network paths so untrusted parties cannot occupy a man-in-the-middle position for the affected TLS flows. Validate any application-level workaround in staging, since tightening hostname verification can surface previously tolerated certificate misconfigurations.",
  "exploit_scenario": "An attacker on the network path (e.g. via ARP/DNS spoofing or a malicious upstream) intercepts a victim application's outbound TLS connection and presents a certificate containing URI or SRV SANs but no matching dNSName SAN, with an attacker-controlled CN crafted to satisfy GnuTLS's fallback check. GnuTLS validates the certificate as matching the requested hostname, so the victim establishes a 'trusted' session with the attacker, who can then impersonate the legitimate service and read or manipulate the exchanged data. No public exploit code has been identified at time of analysis, and the attack requires the victim to initiate the affected connection (UI:R).",
  "exploitation_conditions": "Exploitation requires that (1) the victim use an application that performs TLS hostname verification through the vulnerable GnuTLS, (2) the attacker be able to present a certificate to that client — i.e. occupy a man-in-the-middle/on-path position or redirect the victim to attacker-controlled infrastructure (the UI:R requirement: the victim must initiate or be induced to make the TLS connection), and (3) the malicious certificate contain URI or SRV Subject Alternative Names while lacking a correctly matching dNSName SAN, with an attacker-chosen Common Name, which is the exact configuration that triggers the faulty CN fallback. No authentication is required of the attacker (PR:N) and complexity is low (AC:L). Limiting factors that reduce real-world risk: the attack is not autonomous — it depends on victim-initiated connections and an on-path/redirection capability rather than a default-config, drive-by remote trigger; it only succeeds where the application relies on GnuTLS hostname matching (applications doing certificate pinning or enforcing strict SAN-only verification are not affected); and impact is confined to identity spoofing and interception (high integrity, low confidentiality) rather than code execution or denial of service.",
  "attack_chain": "Gain on-path/redirect position for victim TLS connection → Present crafted cert with URI/SRV SANs and attacker CN → GnuTLS falls back to CN match and accepts cert → Establish trusted TLS session as impersonated service → Intercept or manipulate sensitive data",
  "confidence_notes": "Vulnerability existence, CWE-295 classification, CVSS 7.1 vector, and affected Red Hat product set are confirmed by the Red Hat-sourced intelligence and CPE data; the spoofing/CN-fallback mechanism is taken directly from the CVE description. The attack-position and certificate prerequisites are INFERRED from the CVSS vector (UI:R, network MITM) and the description's SAN/CN wording, not from a published technical write-up. UNKNOWN/MISSING from the provided data: exact affected and fixed GnuTLS package versions, EPSS score, and any POC — KEV status is absent so there is no confirmed active exploitation; the linked Red Hat advisory and Bugzilla should be checked for the authoritative fixed-version errata."
}
CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: High
Product Status
Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected
SUSE Liberty Linux 8 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-42012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy