Plattform
cpp
Komponente
botan
Behoben in
3.11.1
CVE-2026-32884 describes a certificate validation bypass vulnerability discovered in Botan, a C++ cryptography library. This flaw allows attackers to potentially bypass DNS name constraints during X.509 certificate path processing, leading to unauthorized certificate validation. The vulnerability affects versions of Botan up to and including 3.11.0, and a fix is available in version 3.11.0.
An attacker can exploit this vulnerability by crafting a malicious X.509 certificate with a mixed-case Common Name (CN) and no Subject Alternative Name (SAN). Because Botan incorrectly handles mixed-case CNs when enforcing DNS name constraints, the attacker can bypass the intended restrictions. This allows the attacker to present a certificate that would otherwise be rejected, potentially enabling man-in-the-middle attacks, unauthorized access to resources, or other security breaches. The impact is particularly severe in environments where Botan is used for certificate validation in critical applications or infrastructure.
This vulnerability was publicly disclosed on 2026-03-30. There is currently no known public proof-of-concept (POC) available. The vulnerability's impact depends heavily on the specific configuration and usage of Botan within an application. It is not currently listed on the CISA KEV catalog, and exploitation probability is considered low given the lack of public exploits.
Applications and systems relying on Botan for certificate validation are at risk, particularly those with relaxed DNS name constraint policies or those processing certificates from untrusted sources. Organizations using Botan in embedded systems or custom security solutions should prioritize patching.
• linux / server:
find /usr/local/include/botan -name '*.cpp' -print0 | xargs -0 grep -i 'CN=Sub.EVIL.COM'• generic web: Inspect Botan configuration files for any custom DNS name constraint policies. Look for any unusual or overly permissive rules. • cpp: Review Botan source code for instances where certificate CNs are compared without case-insensitive checks.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32884 is to upgrade to Botan version 3.11.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter DNS name constraint policies to minimize the potential impact. While not a direct fix, carefully reviewing and tightening certificate validation rules can reduce the attack surface. Additionally, monitor certificate validation logs for unusual patterns or unexpected certificate chains. After upgrading, confirm the fix by attempting to validate a certificate with a mixed-case CN and verifying that it is now rejected.
Aktualisieren Sie die Botan-Bibliothek auf Version 3.11.0 oder höher. Diese Version behebt die Zertifikatsvalidierungs-Vulnerabilität von X.509, die die Umgehung von DNS-Namensbeschränkungen aufgrund eines Vergleichs von Common Names (CN) ohne Beachtung der Groß- und Kleinschreibung ermöglicht.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32884 is a medium-severity vulnerability in Botan cryptography library affecting versions up to 3.11.0. It allows a mixed-case Common Name in a certificate to bypass DNS name constraint checks, potentially enabling unauthorized validation.
You are affected if you are using Botan version 3.11.0 or earlier. Check your Botan version and upgrade if necessary.
Upgrade to Botan version 3.11.0 or later to resolve this vulnerability. Ensure your DNS name constraint policies are also reviewed and tightened.
There is currently no evidence of active exploitation, but the vulnerability is publicly known and could be exploited in the future.
Refer to the Botan project's security advisories on their official website for the latest information and updates regarding CVE-2026-32884.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.