{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66633?format=json","vulnerability_id":"VCID-wsby-unw4-zqe7","summary":"Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.  Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):  First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.  Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.  The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.  This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.","aliases":[{"alias":"CVE-2026-42790"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93544?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/195831?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5775?format=json","purl":"pkg:deb/debian/erlang@1:23.2.6%2Bdfsg-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-b3hg-mjga-nbg1"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-dccw-cx8r-r7a1"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"},{"vulnerability":"VCID-yyfx-f783-fqgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:23.2.6%252Bdfsg-1%252Bdeb11u1"},{"url":"http://public2.vulnerablecode.io/api/packages/93543?format=json","purl":"pkg:deb/debian/erlang@1:23.2.6%2Bdfsg-1%2Bdeb11u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-b3hg-mjga-nbg1"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-dccw-cx8r-r7a1"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"},{"vulnerability":"VCID-yyfx-f783-fqgk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:23.2.6%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/93541?format=json","purl":"pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-b3hg-mjga-nbg1"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/195385?format=json","purl":"pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-b3hg-mjga-nbg1"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4"},{"url":"http://public2.vulnerablecode.io/api/packages/93545?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.1%2Bdfsg-1%2Bdeb13u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-aqqx-g7d3-1yfy"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-n6dc-39d1-83cr"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.1%252Bdfsg-1%252Bdeb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/195830?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.1%2Bdfsg-1%2Bdeb13u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-aqqx-g7d3-1yfy"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-n6dc-39d1-83cr"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.1%252Bdfsg-1%252Bdeb13u2"}],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42790"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759","reference_id":"0769050c69d73762672b0db1347b6993a5b31759","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759"},{"reference_url":"https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a","reference_id":"21abed64eb2026b5f82f432709e4e932f9be389a","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2026-42790.html","reference_id":"CVE-2026-42790.html","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://cna.erlef.org/cves/CVE-2026-42790.html"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2026-42790","reference_id":"EEF-CVE-2026-42790","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-42790"},{"reference_url":"https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457","reference_id":"fb67c6d1836f51105a96d8b769e71e4215a79457","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447","reference_id":"GHSA-22cw-4ph4-6447","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"weaknesses":[{"cwe_id":295,"name":"Improper Certificate Validation","description":"The product does not validate, or incorrectly validates, a certificate."},{"cwe_id":297,"name":"Improper Validation of Certificate with Host Mismatch","description":"The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host."}],"exploits":[],"severity_range_score":"7.4 - 7.6","exploitability":"0.5","weighted_severity":"0.0","risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsby-unw4-zqe7"}