CVE-2026-42790
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk26th percentile - higher than 26% of all known CVEs
Summary
A vulnerability in the public_key library of Erlang OTP allows bypassing DNS nameConstraints by exploiting the CommonName fallback in certificate validation. An attacker can issue a leaf certificate without subjectAltName, which is accepted by the TLS client for a host outside the allowed domain.
Risk Assessment
The organization is at risk of man-in-the-middle attacks where an unauthorized server can impersonate a trusted host. This could lead to interception of sensitive data or compromise of communication integrity.
Recommendation
Immediately upgrade Erlang OTP to versions 26.2.5.21, 27.3.4.12, 28.5.0.1, or 29.0.1 depending on the branch used. For systems that cannot be updated, consider temporarily disabling TLS connections with hostname verification.
Original NVD description (English source)
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.

