C++ Cryptography Library Botan Vulnerability in Version 3.11.0
CVE-2026-34580

9.3CRITICAL

Key Information:

Vendor: Randombit
Status: Botan
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-34580?

In version 3.11.0 of the Botan C++ cryptography library, a significant vulnerability exists in the Certificate_Store::certificate_known function. The function erroneously registers a certificate as known if any stored certificate's distinguished name (DN) and, if applicable, subject key identifier, match that of the passed argument, without ensuring they are indeed the same certificate. This flaw compromises certificate validation, allowing any end entity certificate with matching identifiers to be mistakenly trusted as a root certificate. A fix for this issue has been introduced in version 3.11.1.

Affected Version(s)

botan >= 3.11.0, < 3.11.1

References

https://github.com/randombit/botan/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34580 Data

JSON

Randombit

What is CVE-2026-34580?

Affected Version(s)

References

CVSS V4

Timeline