Certificate Validation Flaw in GnuTLS Allows Potential Man-in-the-Middle Attacks
CVE-2026-42013

8.2HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 10.0 Extended Update Support
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Vendor
CVE Published:
26 May 2026

What is CVE-2026-42013?

A significant vulnerability has been identified in GnuTLS, specifically related to the validation of certificates. When the Subject Alternative Name (SAN) field in a certificate exceeds a particular size, it can trigger an incorrect fallback to the Common Name (CN) field during the validation process. This misconfiguration potentially enables remote attackers to successfully bypass the intended validation checks, creating pathways for spoofing and man-in-the-middle attacks. It is crucial for users and administrators to apply the necessary security patches to mitigate this risk and safeguard their systems from exploitation.

Affected Version(s)

Red Hat Enterprise Linux 10 0:3.8.10-4.el10_2

Red Hat Enterprise Linux 10.0 Extended Update Support 0:3.8.9-9.el10_0.19

Red Hat Enterprise Linux 8 0:3.6.16-8.el8_10.6

References

https://access.redhat.com/errata/RHSA-2026:20611
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:20612
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:20613
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Haruto Kimura (Stella) and Joshua Rogers (AISLE Research Team) for reporting this issue.
.