Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/86871?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/86871?format=api", "vulnerability_id": "VCID-8a5v-tu8j-7kfe", "summary": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com) First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.", "aliases": [ { "alias": "CVE-2026-42790" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378513?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/343088?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1%3Fdistro=trixie" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377473?format=api", "purl": "pkg:deb/debian/erlang@1:23.2.6%2Bdfsg-1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-4ny1-ztaq-yudj" }, { "vulnerability": "VCID-5vxe-1smj-fyck" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" }, { "vulnerability": "VCID-d2mt-nbtf-b3fy" }, { "vulnerability": "VCID-h7x2-fxke-tkdp" }, { "vulnerability": "VCID-qqzg-7f84-4fhz" }, { "vulnerability": "VCID-ws6x-zs8f-b3d5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:23.2.6%252Bdfsg-1%252Bdeb11u1" }, { "url": "http://public2.vulnerablecode.io/api/packages/343086?format=api", "purl": "pkg:deb/debian/erlang@1:23.2.6%2Bdfsg-1%2Bdeb11u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-4ny1-ztaq-yudj" }, { "vulnerability": "VCID-5vxe-1smj-fyck" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" }, { "vulnerability": "VCID-d2mt-nbtf-b3fy" }, { "vulnerability": "VCID-h7x2-fxke-tkdp" }, { "vulnerability": "VCID-qqzg-7f84-4fhz" }, { "vulnerability": "VCID-ws6x-zs8f-b3d5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:23.2.6%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/377474?format=api", "purl": "pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-4ny1-ztaq-yudj" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" }, { "vulnerability": "VCID-h7x2-fxke-tkdp" }, { "vulnerability": "VCID-qqzg-7f84-4fhz" }, { "vulnerability": "VCID-ws6x-zs8f-b3d5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4" }, { "url": "http://public2.vulnerablecode.io/api/packages/343084?format=api", "purl": "pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-4ny1-ztaq-yudj" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" }, { "vulnerability": "VCID-h7x2-fxke-tkdp" }, { "vulnerability": "VCID-qqzg-7f84-4fhz" }, { "vulnerability": "VCID-ws6x-zs8f-b3d5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/378421?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.1%2Bdfsg-1%2Bdeb13u2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-4ny1-ztaq-yudj" }, { "vulnerability": "VCID-4qr6-9z6u-ekb3" }, { "vulnerability": "VCID-7xvh-aqcu-uyb4" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" }, { "vulnerability": "VCID-qqzg-7f84-4fhz" }, { "vulnerability": "VCID-ws6x-zs8f-b3d5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.1%252Bdfsg-1%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/343089?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.1%2Bdfsg-1%2Bdeb13u2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-4ny1-ztaq-yudj" }, { "vulnerability": "VCID-4qr6-9z6u-ekb3" }, { "vulnerability": "VCID-7xvh-aqcu-uyb4" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" }, { "vulnerability": "VCID-qqzg-7f84-4fhz" }, { "vulnerability": "VCID-ws6x-zs8f-b3d5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.1%252Bdfsg-1%252Bdeb13u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/378422?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.11%2Bdfsg-7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-7xvh-aqcu-uyb4" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.11%252Bdfsg-7" }, { "url": "http://public2.vulnerablecode.io/api/packages/343087?format=api", "purl": "pkg:deb/debian/erlang@1:27.3.4.11%2Bdfsg-7?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1py9-5tap-d7fv" }, { "vulnerability": "VCID-7xvh-aqcu-uyb4" }, { "vulnerability": "VCID-8a5v-tu8j-7kfe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.11%252Bdfsg-7%3Fdistro=trixie" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42790", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08507", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42790" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42790" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759", "reference_id": "0769050c69d73762672b0db1347b6993a5b31759", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759" }, { "reference_url": "https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a", "reference_id": "21abed64eb2026b5f82f432709e4e932f9be389a", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*" }, { "reference_url": "https://cna.erlef.org/cves/CVE-2026-42790.html", "reference_id": "CVE-2026-42790.html", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://cna.erlef.org/cves/CVE-2026-42790.html" }, { "reference_url": "https://osv.dev/vulnerability/EEF-CVE-2026-42790", "reference_id": "EEF-CVE-2026-42790", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42790" }, { "reference_url": "https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457", "reference_id": "fb67c6d1836f51105a96d8b769e71e4215a79457", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457" }, { "reference_url": "https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447", "reference_id": "GHSA-22cw-4ph4-6447", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447" }, { "reference_url": "https://www.erlang.org/doc/system/versions.html#order-of-versions", "reference_id": "versions.html#order-of-versions", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/" } ], "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions" } ], "weaknesses": [ { "cwe_id": 295, "name": "Improper Certificate Validation", "description": "The product does not validate, or incorrectly validates, a certificate." }, { "cwe_id": 297, "name": "Improper Validation of Certificate with Host Mismatch", "description": "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host." } ], "exploits": [], "severity_range_score": "7.4 - 7.6", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8a5v-tu8j-7kfe" }