SB20260408105 - Multiple vulnerabilities in Botan

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Enforcement of Behavioral Workflow (CVE-ID: CVE-2026-34582)

The vulnerability allows a remote attacker to bypass client certificate authentication.

The vulnerability exists due to improper enforcement of behavioral workflow in the TLS 1.3 implementation when processing ApplicationData records before completion of the handshake. A remote attacker can send application data records before the Finished message to bypass client certificate authentication.

This affects servers attempting to enforce client authentication via certificates, and exploitation involves omitting the Certificate, CertificateVerify, and Finished messages.

2) Improper Certificate Validation (CVE-ID: CVE-2026-34580)

The vulnerability allows a remote attacker to bypass X.509 certificate verification.

The vulnerability exists due to improper certificate validation in Certificate_Store::certificate_known and path validation logic when processing a presented end entity certificate. A remote attacker can present a crafted certificate with a distinguished name and subject key identifier matching a trusted root to bypass X.509 certificate verification.

The issue occurs because the certificate lookup logic treated matching certificate attributes as if the certificates were identical, causing the end entity certificate to be accepted as a trusted root.

Remediation

Install update from vendor's website.

References

• https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g
• https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827
• https://github.com/advisories/GHSA-v782-6fq4-q827