Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.
AnalysisAI
Here is the multi-source synthesis for CVE-2026-42012:
{
"product_name": "GnuTLS",
"summary": "Improper certificate validation in GnuTLS (CWE-295) lets a remote attacker defeat TLS hostname verification by presenting a certificate that carries URI or SRV Subject Alternative Names, causing GnuTLS to incorrectly fall back to matching the connection's DNS hostname against the certificate's Common Name (CN) and enabling service spoofing or man-in-the-middle interception of sensitive data. The flaw was reported by Red Hat against GnuTLS as shipped in Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, and carries a CVSS 3.1 base score of 7.1 driven by high integrity impact. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires the victim to initiate a connection to attacker-controlled infrastructure (UI:R).",
"technical_context": "GnuTLS is a widely deployed open-source library implementing TLS/SSL and X.509 certificate handling, used by numerous applications and system components across the Red Hat ecosystem. During X.509 peer verification, RFC 6125 and modern practice require that a DNS hostname be matched against dNSName Subject Alternative Name (SAN) entries, and the deprecated CN-based matching should only occur when no relevant SAN is present. The root cause is classed as CWE-295 (Improper Certificate Validation): when a certificate presents only URI or SRV SAN entries (and no dNSName SAN), GnuTLS's logic incorrectly treats the absence of a *matching DNS* SAN as license to fall back to comparing the hostname against the CN, rather than failing the match. Because URI/SRV SANs are valid certificate fields that do not assert DNS identity, an attacker can populate them to suppress correct SAN-based matching while supplying an attacker-chosen CN, breaking the trust binding between the presented certificate and the requested hostname.",
"risk_assessment": "The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, base 7.1) describes a network-reachable, low-complexity, unauthenticated flaw whose primary consequence is high integrity impact (spoofing/identity confusion) with only low confidentiality impact and no availability impact — consistent with a MITM/impersonation weakness rather than direct RCE. The UI:R element is significant: the victim client must initiate or be lured into a TLS connection that the attacker can intercept or answer, so this is not a fully autonomous remote exploit. No EPSS score was provided in the input, so exploitation probability cannot be quantified here; KEV status is not present (no active exploitation), and no POC was supplied, so there is no public exploit identified at time of analysis. Net assessment: a credible, real integrity risk for systems performing TLS hostname verification via GnuTLS — particularly in service-to-service and automated client contexts — but its practical severity is gated by the need for an attacker to be on-path or to redirect the victim, and by the application actually relying on GnuTLS hostname matching. Note one item to verify with the vendor: exact affected GnuTLS package versions are not enumerated in the provided data (only Red Hat product CPEs are given).",
"affected_products": "The affected component is the GnuTLS library as distributed by Red Hat. Per the supplied CPE data, impacted products include Red Hat Enterprise Linux 6, 7, 8, 9, and 10 (cpe:2.3:a:red_hat:red_hat_enterprise_linux_6 through _10), Red Hat OpenShift Container Platform 4 (cpe:2.3:a:red_hat:red_hat_openshift_container_platform_4), and Red Hat Hardened Images (cpe:2.3:a:red_hat:red_hat_hardened_images). Specific fixed/affected GnuTLS package version ranges are not enumerated in the provided data and should be confirmed against the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-42012 and the tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2467441. Because GnuTLS is an upstream library, non-Red-Hat distributions and applications that bundle or link GnuTLS may also be affected even though only Red Hat products are listed in this intelligence set.",
"remediation": "No vendor-released patch version is identified at time of analysis — the supplied references are the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-42012) and tracking bug (https://bugzilla.redhat.com/show_bug.cgi?id=2467441), neither of which carries an exact fixed package version in the provided data, so monitor those URLs and apply the updated gnutls packages via the standard distribution update mechanism (e.g. dnf/yum update gnutls and dependent libraries) as soon as Red Hat publishes errata. Until a fix is available, compensating controls include: configuring or modifying TLS clients to require a matching dNSName SAN and reject CN fallback entirely (many applications expose a strict-verification or no-CN-fallback option), which eliminates the bug's trigger but may break connections to legacy certificates that still rely on CN; pinning expected server certificates or CAs for high-value service-to-service connections so a swapped certificate is rejected regardless of SAN/CN logic, at the cost of higher operational overhead on certificate rotation; and restricting/segmenting network paths so untrusted parties cannot occupy a man-in-the-middle position for the affected TLS flows. Validate any application-level workaround in staging, since tightening hostname verification can surface previously tolerated certificate misconfigurations.",
"exploit_scenario": "An attacker on the network path (e.g. via ARP/DNS spoofing or a malicious upstream) intercepts a victim application's outbound TLS connection and presents a certificate containing URI or SRV SANs but no matching dNSName SAN, with an attacker-controlled CN crafted to satisfy GnuTLS's fallback check. GnuTLS validates the certificate as matching the requested hostname, so the victim establishes a 'trusted' session with the attacker, who can then impersonate the legitimate service and read or manipulate the exchanged data. No public exploit code has been identified at time of analysis, and the attack requires the victim to initiate the affected connection (UI:R).",
"exploitation_conditions": "Exploitation requires that (1) the victim use an application that performs TLS hostname verification through the vulnerable GnuTLS, (2) the attacker be able to present a certificate to that client — i.e. occupy a man-in-the-middle/on-path position or redirect the victim to attacker-controlled infrastructure (the UI:R requirement: the victim must initiate or be induced to make the TLS connection), and (3) the malicious certificate contain URI or SRV Subject Alternative Names while lacking a correctly matching dNSName SAN, with an attacker-chosen Common Name, which is the exact configuration that triggers the faulty CN fallback. No authentication is required of the attacker (PR:N) and complexity is low (AC:L). Limiting factors that reduce real-world risk: the attack is not autonomous — it depends on victim-initiated connections and an on-path/redirection capability rather than a default-config, drive-by remote trigger; it only succeeds where the application relies on GnuTLS hostname matching (applications doing certificate pinning or enforcing strict SAN-only verification are not affected); and impact is confined to identity spoofing and interception (high integrity, low confidentiality) rather than code execution or denial of service.",
"attack_chain": "Gain on-path/redirect position for victim TLS connection → Present crafted cert with URI/SRV SANs and attacker CN → GnuTLS falls back to CN match and accepts cert → Establish trusted TLS session as impersonated service → Intercept or manipulate sensitive data",
"confidence_notes": "Vulnerability existence, CWE-295 classification, CVSS 7.1 vector, and affected Red Hat product set are confirmed by the Red Hat-sourced intelligence and CPE data; the spoofing/CN-fallback mechanism is taken directly from the CVE description. The attack-position and certificate prerequisites are INFERRED from the CVSS vector (UI:R, network MITM) and the description's SAN/CN wording, not from a published technical write-up. UNKNOWN/MISSING from the provided data: exact affected and fixed GnuTLS package versions, EPSS score, and any POC — KEV status is absent so there is no confirmed active exploitation; the linked Red Hat advisory and Bugzilla should be checked for the authoritative fixed-version errata."
}More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd | Affected |
| Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE | Affected |
| Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P | Affected |
| SUSE Liberty Linux 8 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro for Rancher 5.4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Certifications 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Enterprise Storage 7 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Fixed |
| SUSE Linux Enterprise Micro 5.0 | Fixed |
| SUSE Linux Enterprise Micro 5.1 | Fixed |
| SUSE Linux Enterprise Micro 5.2 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Certifications 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Certifications 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Desktop Applications 15 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP2 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 | Fixed |
| SUSE Linux Enterprise Server 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2 | Fixed |
| SUSE Linux Enterprise Server 15 SP2-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 15-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Manager Proxy 4.0 | Fixed |
| SUSE Manager Proxy 4.1 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.0 | Fixed |
| SUSE Manager Retail Branch Server 4.1 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.0 | Fixed |
| SUSE Manager Server 4.1 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| SUSE OpenStack Cloud 8 | Fixed |
| SUSE OpenStack Cloud 9 | Fixed |
| SUSE OpenStack Cloud Crowbar 8 | Fixed |
| SUSE OpenStack Cloud Crowbar 9 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap Micro 5.2 | Fixed |
| openSUSE Leap Micro 5.3 | Fixed |
| openSUSE Leap Micro 5.4 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
| SUSE Manager Proxy 4.3 LTS | Fixed |
| SUSE Manager Retail Branch Server 4.3 LTS | Fixed |
| SUSE Manager Server 4.3 LTS | Fixed |
| suse/sles/15.2/virt-handler:0.38.1 suse/sles/15.2/virt-launcher:0.38.1 suse/sles/15.3/virt-handler:0.45.0 suse/sles/15.3/virt-launcher:0.45.0 | Fixed |
| suse/sles/15.4/virt-handler:0.49.0 suse/sles/15.4/virt-launcher:0.49.0 suse/sles/15.5/virt-launcher:0.58.0 suse/sles/15.6/virt-launcher:1.1.1 suse/sles/15.7/virt-launcher:1.5.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32010