Improper Certificate Validation in GnuTLS - CVE-2026-42012
Published: April 30, 2026
Vulnerability identifier: #VU128574
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-42012
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GnuTLS
GnuTLS
Software vendor:
GnuTLS
GnuTLS
Description
The vulnerability allows a remote attacker to misuse certificates beyond their intended purpose.
The vulnerability exists due to improper certificate validation in certificate hostname verification when processing certificates containing URI or SRV Subject Alternative Names. A remote attacker can present a specially crafted certificate to misuse certificates beyond their intended purpose.
Certificates with URI or SRV Subject Alternative Names may incorrectly fall back to checking DNS hostnames against the Common Name.
Remediation
Install security update from vendor's website.