CVE-2026-32884

Name of the Vulnerable Software and Affected Versions Botan versions prior to 3.11.0

Description Botan is a C++ cryptography library. When processing X.509 certificate paths with DNS name constraints, a case-sensitive comparison of the Common Name (CN) allowed a certificate to bypass restrictions. Specifically, if an end-entity certificate lacked Subject Alternative Names, Botan incorrectly checked the CN against DNS name constraints, failing to account for mixed-case CNs. This allowed a certificate with a mixed-case CN, like Sub.EVIL.COM, to bypass an excludedSubtrees constraint for evil.com. This behavior violates RFC 5280 standards.

Recommendations Update to version 3.11.0 or later.