SB20260408104 - Multiple vulnerabilities in Botan
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-32877)
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the SM2 decryption authentication code value (C3) check when processing a crafted SM2 ciphertext with an undersized C3 hash field. A remote attacker can send a specially crafted SM2 ciphertext to cause a denial of service and disclose sensitive information.
The over-read is limited to up to 31 bytes and may result in other undefined behavior.
2) Improper Certificate Validation (CVE-ID: CVE-2026-32884)
The vulnerability allows a remote attacker to bypass DNS name constraints enforcement.
The vulnerability exists due to improper certificate validation in X.509 certificate path processing when validating a certificate chain with DNS excludedSubtrees constraints and an end-entity certificate that has a mixed-case CN and no subject alternative name. A remote attacker can present a specially crafted certificate to bypass DNS name constraints enforcement.
This issue is relevant when nameConstraints are used to restrict allowable DNS names.
3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-32883)
The vulnerability allows a remote attacker to bypass certificate revocation checks.
The vulnerability exists due to improper verification of cryptographic signature in OCSP response verification during X509 path validation when processing OCSP responses. A remote attacker can tamper with an OCSP response body to bypass certificate revocation checks.
Exploitation requires a machine-in-the-middle position between a Botan-based client and an OCSP responder.
Remediation
Install update from vendor's website.