HSEC-2026-0008 crypton-x509-validation and crypton-x509 do not enforce X.509 Name Constraints

crypton-x509-validation and crypton-x509 do not enforce X.509 Name Constraints The crypton-x509-validation and crypton-x509 libraries did not enforce the X.509 Name Constraints extension during certificate validation. The Name Constraints extension is a critical X.509 extension that restricts the...

ServiceNow - Cross-Site Scripting

ServiceNow through San Diego Patch 4b and Patch 6 contains a cross-site scripting vulnerability in the logout functionality, which can enable an unauthenticated remote attacker to execute arbitrary JavaScript. id: CVE-2022-38463 info: name: ServiceNow - Cross-Site Scripting author: amanrawat...

CVE-2026-27145 Inefficient candidate hostname parsing in crypto/x509

x509.Certificate.VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name SAN entries. This caused strings.Splithost, "." to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number...

PT-2026-45873

x509.Certificate.VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name SAN entries. This caused strings.Splithost, "." to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number...

SUSE-SU-2026:2087-1 Security update for gnutls

This update for gnutls fixes the following issues - CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive bsc1263707. - CVE-2026-5260: lib/pkcs11privkey: guard against overreading on short ciphertexts bsc1263715. - CVE-2026-33845: buffers: switch from endoffset over to...

PT-2026-44041

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 19.3 through 26.2.5.20 Erlang OTP versions 26.2.5.21 through 27.3.4.11 Erlang OTP versions 27.3.4.12 through 28.5.0.0 Erlang OTP versions 28.5.0.1 through 29.0.0 public key versions 1.4 through 1.15.1.6 public key versions...

CVE-2026-42013

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name SAN could cause the validation process to incorrectly fall back to checking the Common Name CN field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to...

CVE-2026-42012 Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier URI or Service SRV Subject Alternative Names SANs. This could cause the certificate validation process to incorrectly fall back to...

CVE-2026-42012

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier URI or Service SRV Subject Alternative Names SANs. This could cause the certificate validation process to incorrectly fall back to...

JLSEC-2026-527

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name SAN entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1deletestructure on an ASN.1 node it do...

gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName DNS or rfc822Name email constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf...

gnutls: gnutls: Certificate validation bypass due to oversized Subject Alternative Name

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name SAN could cause the validation process to incorrectly fall back to checking the Common Name CN field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to...

SUSE-SU-2026:21867-1 Security update for gnutls

This update for gnutls fixes the following issues - CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive bsc1263707. - CVE-2026-5260: lib/pkcs11privkey: guard against overreading on short ciphertexts bsc1263715. - CVE-2026-5419: gnutlscipherdecrypt3: make PKCS7 unpadding...

SUSE-SU-2026:21784-1 Security update for gnutls

This update for gnutls fixes the following issues - CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive bsc1263707. - CVE-2026-5260: lib/pkcs11privkey: guard against overreading on short ciphertexts bsc1263715. - CVE-2026-5419: gnutlscipherdecrypt3: make PKCS7 unpadding...

Oracle Linux 8 / 9 : Unbreakable Enterprise kernel (ELSA-2026-50280)

The remote Oracle Linux 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-50280 advisory. - ptrace: slightly saner 'getdumpable' logic Linus Torvalds Orabug: 39391447 CVE-2026-46333 - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache Jeff...

crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application

A flaw was found in the crypto/x509 package within Go golang. When verifying a certificate chain, excluded DNS Domain Name System constraints are not correctly applied to wildcard DNS Subject Alternative Names SANs if the case of the SAN differs from the constraint. This oversight could allow an...

OPENSUSE-SU-2026:20778-1 Security update for gnutls

This update for gnutls fixes the following issues - CVE-2026-3832: cert-session: fix multi-entry OCSP revocation bypass bsc1263706. - CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive bsc1263707. - CVE-2026-5260: lib/pkcs11privkey: guard against overreading on short...

SUSE-SU-2026:21752-1 Security update for gnutls

This update for gnutls fixes the following issues - CVE-2026-3832: cert-session: fix multi-entry OCSP revocation bypass bsc1263706. - CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive bsc1263707. - CVE-2026-5260: lib/pkcs11privkey: guard against overreading on short...

SUSE-SU-2026:21815-1 Security update for gnutls

This update for gnutls fixes the following issues - CVE-2026-3832: cert-session: fix multi-entry OCSP revocation bypass bsc1263706. - CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive bsc1263707. - CVE-2026-5260: lib/pkcs11privkey: guard against overreading on short...

curl: Trailing-dot IPv4 URL bypasses IP-address guard, allows wildcard DNS SAN match

Hi all, Sorry to ruin anybody's day, but we've discovered another issue when it comes to dots. We've found a TLS certificate verification bypass that lets a trailing-dot IPv4 URL -- https://127.0.0.1./ -- pass peer authentication against a wildcard DNS SAN certificate such as DNS:.0.0.1. The IP...