VDB

CVE-2026-9648

CVE-2026-9648 PUBLISHED CVSS 9.1 CRITICAL

Reported by certcc · Published June 11, 2026

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Risk Scores

CVSS 3.1
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersions
Haskell Programming Languagecrypton-certificate0
Haskell Programming Languagecrypton-certificate0

Timeline

  • Jun 6, 2026 CVE Published
  • Jun 6, 2026 Security Advisory
  • Jun 12, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›