Improper Certificate Validation in GnuTLS - CVE-2026-42013
Published: April 30, 2026
Vulnerability identifier: #VU128575
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-42013
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GnuTLS
GnuTLS
Software vendor:
GnuTLS
GnuTLS
Description
The vulnerability allows a remote attacker to bypass certificate hostname validation.
The vulnerability exists due to improper certificate validation in certificate Subject Alternative Name and Common Name hostname checking when validating certificates with oversized Subject Alternative Names. A remote attacker can present a specially crafted certificate to bypass certificate hostname validation.
Remediation
Install security update from vendor's website.