CVE-2026-42791

MEDIUM EPSS 23.3%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid. This affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case — server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate. This issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
23.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-295
CWE-672

Affected Products 3

VendorProductVersionRange
erlangerlang\/otp*≥27.0  –  <27.3.4.12
erlangerlang\/otp*≥28.0  –  <28.5.0.1
erlangerlang\/otp*≥29.0  –  <29.0.1

References 6

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-42791.html
    Third Party Advisory
  • github.com https://github.com/erlang/otp/commit/7995f1fdaee3da569bb810358ce0f546471d169b
    Patch
  • github.com https://github.com/erlang/otp/commit/b3870e02405c709a872b01ba6086065620cdfe76
    Patch
  • github.com https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff
    MitigationVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-42791
    Third Party Advisory
  • erlang.org https://www.erlang.org/doc/system/versions.html#order-of-versions
    Product

Remediation

  • github.com https://github.com/erlang/otp/commit/7995f1fdaee3da569bb810358ce0f546471d169b
    Patch
  • github.com https://github.com/erlang/otp/commit/b3870e02405c709a872b01ba6086065620cdfe76
    Patch