PT-2026-54772 · Erlang · Quic

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-49457

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions erlang/quic versions prior to 1.4.4
Description The QUIC client fails to authenticate the server during the TLS 1.3 handshake. Specifically, the verify process is ineffective because the CertificateVerify signature is not checked, the certificate chain is not validated, and the hostname is not compared against the certificate. This allows a man-in-the-middle attacker to present any certificate and impersonate any server, compromising the confidentiality and integrity of the connection. HTTP/3 is also affected as it utilizes the same client. Handshakes authenticated by a Pre-Shared Key (PSK), used for session resumption, are not affected since the peer is authenticated by the PSK binder and no certificate is transmitted.
Recommendations Update to version 1.4.4.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49457
GHSA-2R8V-P65X-3663

Affected Products

Quic