CVE Catalog
CVE-2026-42508
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk0.47%
37th percentile — higher than 37% of all known CVEs
Summary
A vulnerability in the key management system causes a revoked 'SignatureKey' belonging to a CA to not be correctly checked for revocation. Now both 'key' and 'key.SignatureKey' are verified for @revoked.
Risk Assessment
The organization may use revoked signing keys, allowing an attacker to impersonate a trusted certificate authority and forge certificates.
Recommendation
Immediately update the system to a version containing the fix that correctly checks the revocation of 'SignatureKey'.
Original NVD description (English source)
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

