Improper Certificate Validation in GnuTLS - CVE-2026-42013
Published: April 30, 2026
Vulnerability identifier: #VU128575
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-42013
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GnuTLS
Affected software:
GnuTLS
GnuTLS
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certificate hostname validation.
The vulnerability exists due to improper certificate validation in certificate Subject Alternative Name and Common Name hostname checking when validating certificates with oversized Subject Alternative Names. A remote attacker can present a specially crafted certificate to bypass certificate hostname validation.
How to mitigate CVE-2026-42013
Install security update from vendor's website.