CVE-2026-42012
Awaiting Analysis Awaiting Analysis - Queue
GnuTLS Certificate Validation Bypass via SAN Fallback

Publication date: 2026-05-26

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-42012
EUVD
EUVD-2026-32010
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnutls gnutls *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that your systems using GnuTLS are updated once a fixed version is released that suppresses the fallback behavior in certificate validation.

Until a fix is available, consider restricting or monitoring the use of certificates containing URI or SRV Subject Alternative Names (SANs) to reduce the risk of exploitation.

Executive Summary

This vulnerability exists in gnutls and involves the certificate validation process. A remote attacker can exploit it by presenting a specially crafted certificate containing URI or SRV Subject Alternative Names (SANs). Due to the flaw, the validation process may incorrectly fall back to checking DNS hostnames against the Common Name (CN) field, which can lead to improper validation.

As a result, the attacker might be able to spoof legitimate services or intercept sensitive information by exploiting this incorrect certificate validation behavior.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to spoof legitimate services or intercept sensitive information. Because the certificate validation process may incorrectly validate malicious certificates, attackers could impersonate trusted services, potentially leading to data interception or man-in-the-middle attacks.

Compliance Impact

This vulnerability in gnutls could allow an attacker to spoof legitimate services or intercept sensitive information by exploiting certificate validation flaws.

Such interception or spoofing of sensitive information may lead to violations of data protection regulations like GDPR or HIPAA, which require the protection of personal and sensitive data during transmission.

Therefore, if exploited, this vulnerability could negatively impact compliance with these standards by compromising the confidentiality and integrity of data.

Detection Guidance

This vulnerability involves improper certificate validation in GnuTLS when processing certificates with URI or SRV Subject Alternative Names (SANs). Detection would involve identifying usage of vulnerable GnuTLS versions and monitoring TLS certificate validation behavior.

To detect if your system is vulnerable, you can check the installed version of GnuTLS to see if it includes the fix for CVE-2026-42012.

  • Check GnuTLS version: `gnutls-cli --version` or `rpm -q gnutls` (on RPM-based systems)
  • Monitor TLS connections for certificates containing URI or SRV SANs and verify if fallback to Common Name (CN) is occurring during validation (this may require custom scripts or enhanced logging in applications using GnuTLS).

There are no specific commands provided in the available resources for direct detection of exploitation attempts on the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42012. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart