CVE-2026-9648
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees.
Risk Assessment
This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.
Recommendation
It is recommended to update the library to the latest version that fixes the enforcement of X.509 NameConstraints and to review and verify TLS certificates.
Original NVD description (English source)
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

