CVE-2026-3833

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions gnutls (affected versions not specified)

Description A flaw exists where case-sensitive comparisons are performed on nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can craft a leaf certificate with casing differences in the Subject Alternative Name (SAN) to bypass policies, causing a certificate that should be rejected to be accepted. This may lead to unauthorized access or information disclosure.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-178

Related Identifiers

ALSA-2026:20611

BDU:2026-07116

CVE-2026-3833

ECHO-EAAB-3ED4-9BFD

OESA-2026-2333

OESA-2026-2334

OESA-2026-2335

OESA-2026-2404

OPENSUSE-SU-2026:10691-1

RHSA-2026:13274

USN-8284-1

Affected Products

Linuxmint

Rocky Linux

Ubuntu

Gnutls

CVE-2026-3833

Weakness Enumeration

Related Identifiers

Affected Products

References · 94