平台
cpp
组件
botan
修复版本
3.11.1
CVE-2026-32884 describes a certificate validation bypass vulnerability discovered in Botan, a C++ cryptography library. This flaw allows attackers to potentially bypass DNS name constraints during X.509 certificate path processing, leading to unauthorized certificate validation. The vulnerability affects versions of Botan up to and including 3.11.0, and a fix is available in version 3.11.0.
An attacker can exploit this vulnerability by crafting a malicious X.509 certificate with a mixed-case Common Name (CN) and no Subject Alternative Name (SAN). Because Botan incorrectly handles mixed-case CNs when enforcing DNS name constraints, the attacker can bypass the intended restrictions. This allows the attacker to present a certificate that would otherwise be rejected, potentially enabling man-in-the-middle attacks, unauthorized access to resources, or other security breaches. The impact is particularly severe in environments where Botan is used for certificate validation in critical applications or infrastructure.
This vulnerability was publicly disclosed on 2026-03-30. There is currently no known public proof-of-concept (POC) available. The vulnerability's impact depends heavily on the specific configuration and usage of Botan within an application. It is not currently listed on the CISA KEV catalog, and exploitation probability is considered low given the lack of public exploits.
Applications and systems relying on Botan for certificate validation are at risk, particularly those with relaxed DNS name constraint policies or those processing certificates from untrusted sources. Organizations using Botan in embedded systems or custom security solutions should prioritize patching.
• linux / server:
find /usr/local/include/botan -name '*.cpp' -print0 | xargs -0 grep -i 'CN=Sub.EVIL.COM'• generic web: Inspect Botan configuration files for any custom DNS name constraint policies. Look for any unusual or overly permissive rules. • cpp: Review Botan source code for instances where certificate CNs are compared without case-insensitive checks.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-32884 is to upgrade to Botan version 3.11.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter DNS name constraint policies to minimize the potential impact. While not a direct fix, carefully reviewing and tightening certificate validation rules can reduce the attack surface. Additionally, monitor certificate validation logs for unusual patterns or unexpected certificate chains. After upgrading, confirm the fix by attempting to validate a certificate with a mixed-case CN and verifying that it is now rejected.
将 Botan 库更新到 3.11.0 或更高版本。此版本修复了允许因忽略大小写比较通用名称 (CN) 而绕过 DNS 名称限制的 X.509 证书验证漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-32884 is a medium-severity vulnerability in Botan cryptography library affecting versions up to 3.11.0. It allows a mixed-case Common Name in a certificate to bypass DNS name constraint checks, potentially enabling unauthorized validation.
You are affected if you are using Botan version 3.11.0 or earlier. Check your Botan version and upgrade if necessary.
Upgrade to Botan version 3.11.0 or later to resolve this vulnerability. Ensure your DNS name constraint policies are also reviewed and tightened.
There is currently no evidence of active exploitation, but the vulnerability is publicly known and could be exploited in the future.
Refer to the Botan project's security advisories on their official website for the latest information and updates regarding CVE-2026-32884.