cvedb.io
CVE-2026-9648
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-06-11T16:16:25.503 · Last modified 2026-06-17T11:05:34.177

Summary

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.