GNUTLS Certificate Validation Bypass via URI/SRV SAN Fallback
CVE-2026-42012 Published on May 26, 2026
Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.
Vulnerability Analysis
CVE-2026-42012 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2026-42012
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-42012 are published in these products:
