CVE-2026-42790

HIGH EPSS 13.8%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
7.6 CVSS 4.0
High
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.

CVSS Details

Base Score
7.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
13.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-295
CWE-297

Affected Products 4

VendorProductVersionRange
erlangerlang\/otp*≥19.3  –  <26.2.5.21
erlangerlang\/otp*≥27.0  –  <27.3.4.12
erlangerlang\/otp*≥28.0  –  <28.5.0.1
erlangerlang\/otp*≥29.0  –  <29.0.1

References 7

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-42790.html
    Third Party Advisory
  • github.com https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759
    Patch
  • github.com https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a
    Patch
  • github.com https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457
    Patch
  • github.com https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447
    Vendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-42790
    MitigationThird Party Advisory
  • erlang.org https://www.erlang.org/doc/system/versions.html#order-of-versions
    Product

Remediation

  • github.com https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759
    Patch
  • github.com https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a
    Patch
  • github.com https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457
    Patch