CVE-2026-42013
8.2 HIGHA flaw was found in gnutls
Published: 2026-05-26 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 8.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
- CWE
- CWE-1284
Description
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42013
- [Other]https://access.redhat.com/errata/RHSA-2026:20611
- [Other]https://access.redhat.com/errata/RHSA-2026:20612
- [Other]https://access.redhat.com/errata/RHSA-2026:20613
- [Other]https://access.redhat.com/security/cve/CVE-2026-42013
- [Other]https://bugzilla.redhat.com/show_bug.cgi?id=2467448
Related CVEs
Same CWE
- CVE-2026-49110 — Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions (7.5 HIGH)
- CVE-2026-49078 — Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions (7.5 HIGH)
- CVE-2026-45441 — Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions (7.5 HIGH)
- CVE-2026-42657 — Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions (5.3 MEDIUM)
- CVE-2026-12059 — The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers ... (8.8 HIGH)