CVE Catalog

CVE-2026-42508

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

A vulnerability in the key management system causes a revoked 'SignatureKey' belonging to a CA to not be correctly checked for revocation. Now both 'key' and 'key.SignatureKey' are verified for @revoked.

Risk Assessment

The organization may use revoked signing keys, allowing an attacker to impersonate a trusted certificate authority and forge certificates.

Recommendation

Immediately update the system to a version containing the fix that correctly checks the revocation of 'SignatureKey'.

Original NVD description (English source)

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS