2453205 – (CVE-2026-32884) CVE-2026-32884 Botan: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates

Bug 2453205 (CVE-2026-32884) - CVE-2026-32884 Botan: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates

Summary: CVE-2026-32884 Botan: Botan: Certificate validation bypass due to mixed-case ...

Keywords:
Status:	NEW
Alias:	CVE-2026-32884
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2453758 2453760 2453756 2453757 2453759 2453761
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-30 21:02 UTC by OSIDB Bzimport
Modified:	2026-04-13 07:36 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-30 21:02:31 UTC

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.

Note You need to log in before you can comment on or make changes to this bug.