Skip to main content

Red Hat Enterprise Linux 10 CVE-2026-42013

| EUVDEUVD-2026-32011 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-26 redhat
8.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
8.2 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 26, 2026 - 22:14 vuln.today
CVE Published
May 26, 2026 - 21:29 nvd
HIGH 8.2

DescriptionCVE.org

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

AnalysisAI

Here is the multi-source synthesis as a single JSON object:

json
{
  "product_name": "GnuTLS",
  "summary": "Certificate validation bypass in GnuTLS (as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images) lets a remote attacker defeat hostname verification: when a certificate carries an oversized Subject Alternative Name, the library incorrectly abandons SAN matching and falls back to the legacy Common Name field, accepting certificates it should reject. An attacker positioned to intercept traffic can present such a certificate to impersonate a trusted server and conduct spoofing or man-in-the-middle attacks against TLS clients that rely on GnuTLS. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score in the provided data.",
  "technical_context": "GnuTLS is a widely deployed open-source implementation of TLS/SSL and related cryptographic protocols, used by countless Linux applications for establishing authenticated, encrypted connections. During X.509 certificate verification, modern practice requires that the presented hostname be matched against the Subject Alternative Name (SAN) extension, with the deprecated Common Name (CN) field used only as a legacy fallback. The flaw is classified as CWE-1284 (Improper Validation of Specified Quantity in Input): an oversized SAN value is not handled correctly during length/quantity validation, causing the verification routine to skip proper SAN matching and revert to the weaker CN check. Because the CN field is attacker-influenceable and not bound to the same constraints, this fallback effectively neutralizes the protection SAN matching is supposed to provide. The affected packages span Red Hat Enterprise Linux 6, 7, 8, 9, and 10, OpenShift Container Platform 4, and Red Hat Hardened Images, per the supplied CPE data.",
  "risk_assessment": "Signals are mixed and incomplete. The CVSS 3.1 base score of 8.2 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N reflects an unauthenticated, low-complexity, network-reachable issue with high integrity impact (authentication/trust bypass) and only low confidentiality impact, no availability impact. However, the CVSS network/no-privilege rating understates a practical precondition: to weaponize a certificate-validation bypass an attacker generally needs a man-in-the-middle or interception position, which CVSS does not model as a privilege, so verify realistic exposure against your network topology rather than treating it as trivially remote. No EPSS score, no SSVC decision data, and no KEV status were provided, so exploitation probability cannot be quantified from the input. There is no public exploit identified at time of analysis. Net assessment: a genuinely serious trust-bypass weakness in a foundational TLS library warranting prompt patching, but absent KEV/EPSS/POC evidence it currently reads as a high-severity hygiene fix rather than an actively-exploited emergency.",
  "affected_products": "The flaw affects the GnuTLS library as distributed by Red Hat across Red Hat Enterprise Linux 6, 7, 8, 9, and 10 (cpe:2.3:a:red_hat:red_hat_enterprise_linux_6 through _10), Red Hat OpenShift Container Platform 4 (cpe:2.3:a:red_hat:red_hat_openshift_container_platform_4), and Red Hat Hardened Images (cpe:2.3:a:red_hat:red_hat_hardened_images). Specific fixed package versions are not enumerated in the provided data; the input references only Red Hat tracking resources rather than tagged releases. Consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-42013 and the tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2467448 for per-product errata and exact patched build numbers.",
  "remediation": "No vendor-released patch version is identified in the provided data, although Red Hat is tracking the issue; monitor https://access.redhat.com/security/cve/CVE-2026-42013 and apply the GnuTLS errata for your specific RHEL or OpenShift stream as soon as Red Hat publishes fixed package builds, then restart or redeploy all services that link GnuTLS so the corrected library is loaded. As a compensating control until errata are available, reduce reliance on GnuTLS-based trust decisions for high-value connections: pin expected server certificates or public keys in clients you control, require mutual TLS so the server is not the only authenticated party, and restrict outbound TLS to known endpoints so an interception position is harder to obtain. Each of these has trade-offs: certificate/key pinning increases operational overhead during legitimate certificate rotation, mutual TLS requires client-certificate provisioning, and egress restriction can break legitimate connections to new endpoints, so validate them in staging before broad rollout. Track fixed versions at https://bugzilla.redhat.com/show_bug.cgi?id=2467448 and update this remediation once exact patched builds are confirmed; do not assume the absence of a listed version means no fix is forthcoming.",
  "exploit_scenario": "An attacker who can intercept a victim's TLS traffic (for example on a shared or compromised network segment, or via DNS/ARP redirection) presents a certificate crafted with an oversized SAN entry. GnuTLS aborts proper SAN matching and falls back to the CN field, which the attacker has populated with the target hostname, so the spoofed certificate is accepted and the attacker transparently relays or modifies the now-trusted session. No public exploit code is identified at time of analysis, and the low attack complexity (AC:L) means crafting the malicious certificate is straightforward once an interception position exists.",
  "exploitation_conditions": "Exploitation requires two concrete elements drawn from the description and CVSS vector. First, the attacker must supply an X.509 certificate containing an oversized Subject Alternative Name value that triggers GnuTLS's incorrect fallback from SAN matching to Common Name matching, with the target hostname placed in the CN field. Second, the attacker must occupy a position to deliver that certificate to a GnuTLS-based client during connection setup, i.e., a man-in-the-middle or traffic-interception capability, since the bypass only yields value when impersonating a legitimate endpoint. The CVSS vector confirms no authentication (PR:N) and no user interaction (UI:N) are needed against the library itself and the attack is network-reachable (AV:N) with low complexity (AC:L). Limiting factors: the victim application must use GnuTLS for certificate verification and must perform hostname validation, the attacker needs the interception position to be useful, and impact is integrity/trust (I:H) rather than direct data disclosure (C:L) or denial of service (A:N).",
  "attack_chain": "Gain traffic interception position → Present certificate with oversized SAN → Trigger GnuTLS fallback to CN check → Spoofed certificate validated against CN → Relay or modify trusted TLS session",
  "confidence_notes": "Affected product scope (RHEL 6-10, OpenShift Container Platform 4, Red Hat Hardened Images), the CWE-1284 root-cause class, and the CVSS 3.1 vector are confirmed from Red Hat-supplied input. The man-in-the-middle precondition is inferred from the description and the nature of certificate-validation bypasses, not stated verbatim. Exact patched package versions, EPSS score, SSVC data, KEV status, and any POC are not present in the provided data; there is no public exploit identified at time of analysis, and fixed versions should be confirmed against the Red Hat advisory and Bugzilla before remediation is closed out."
}
CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: High
Product Status
Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected
SUSE Liberty Linux 8 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-42013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy