PT-2026-54772 · Erlang · Quic
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-49457
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
erlang/quic versions prior to 1.4.4
Description
The QUIC client fails to authenticate the server during the TLS 1.3 handshake. Specifically, the
verify process is ineffective because the CertificateVerify signature is not checked, the certificate chain is not validated, and the hostname is not compared against the certificate. This allows a man-in-the-middle attacker to present any certificate and impersonate any server, compromising the confidentiality and integrity of the connection. HTTP/3 is also affected as it utilizes the same client. Handshakes authenticated by a Pre-Shared Key (PSK), used for session resumption, are not affected since the peer is authenticated by the PSK binder and no certificate is transmitted.Recommendations
Update to version 1.4.4.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Quic