CVE-2026-9648
CVE-2026-9648

9.1CRITICAL

Key Information:

Vendor: Haskell Programming Language
Status: Crypton-certificate
Vendor: CVE Published:; 11 June 2026

🔔 Create Haskell Programming Language Vulnerability Alert

What is CVE-2026-9648?

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Affected Version(s)

crypton-certificate 0 < 1.9.1

References

https://github.com/kazu-yamamoto/crypton-certificate/pull/30

https://github.com/kazu-yamamoto/crypton-certificate/pull...

https://hackage.haskell.org/package/crypton-x509-validati...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-9648 Data

JSON