CVE 9.1 CRITICAL

CVE-2026-9648_CVE-2026-9648

June 11, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

AI Analysis

The crypton-x509-validation library fails to enforce X.509 NameConstraints, allowing an attacker to impersonate domains beyond the intended scope.

Basic Information

ID CVE-2026-9648

Source certcc

Published Jun 11, 2026 at 14:30

Modified Jun 11, 2026 at 15:39

Affected Product

Vendor Haskell Programming Language

Product crypton-certificate

Affected Versions Haskell Programming Language crypton-certificate 0

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Haskell Programming Language

Product crypton-certificate

References

{
    "lastseen": "",
    "description": "The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA\u2019s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.",
    "published": "2026-06-11T14:30:30.800Z",
    "modified": "2026-06-11T15:39:31.210Z",
    "type": "cve",
    "title": "CVE-2026-9648",
    "source": "certcc",
    "references": "https://github.com/kazu-yamamoto/crypton-certificate/pull/30\nhttps://github.com/kazu-yamamoto/crypton-certificate/pull/30/changes/f4b77edf6ead77f4a886da40e41eab20f0180e39\nhttps://hackage.haskell.org/package/crypton-x509-validation-1.9.1/revisions/\nhttps://github.com/haskell/security-advisories/pull/332",
    "id": "CVE-2026-9648",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Haskell Programming Language crypton-certificate 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "crypton-certificate",
    "version": "0",
    "vendor": "Haskell Programming Language",
    "ai_description": "The crypton-x509-validation library fails to enforce X.509 NameConstraints, allowing an attacker to impersonate domains beyond the intended scope.",
    "ai_severity": "Critical",
    "ai_vendor": "Haskell Programming Language",
    "ai_product": "crypton-certificate",
    "ai_version": "0",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply