2456285 – (CVE-2026-34582) CVE-2026-34582 botan: Botan: Client authentication bypass in TLS 1.3 implementation

Bug 2456285 (CVE-2026-34582) - CVE-2026-34582 botan: Botan: Client authentication bypass in TLS 1.3 implementation

Summary: CVE-2026-34582 botan: Botan: Client authentication bypass in TLS 1.3 implemen...

Keywords:
Status:	NEW
Alias:	CVE-2026-34582
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2456397 2456398 2456399 2456400 2456401 2456402
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-07 22:02 UTC by OSIDB Bzimport
Modified:	2026-04-08 09:23 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-07 22:02:04 UTC

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Note You need to log in before you can comment on or make changes to this bug.