{“lastseen”:””,”description”:”Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.\\n\\nTwo flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):\\n\\nFirst, pubkey_cert:validate_names\/6 in lib\/public_key\/src\/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:… constraint regardless of its subject commonName.\\n\\nSecond, public_key:pkix_verify_hostname\/3 in lib\/public_key\/src\/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.\\n\\nThe result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.\\n\\nThis issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.”,”published”:”2026-05-27T15:09:01.860Z”,”modified”:”2026-05-27T15:41:09.137Z”,”type”:”cve”,”title”:”nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification”,”source”:”EEF”,”references”:”https:\/\/github.com\/erlang\/otp\/security\/advisories\/GHSA-22cw-4ph4-6447\\nhttps:\/\/cna.erlef.org\/cves\/CVE-2026-42790.html\\nhttps:\/\/osv.dev\/vulnerability\/EEF-CVE-2026-42790\\nhttps:\/\/www.erlang.org\/doc\/system\/versions.html#order-of-versions\\nhttps:\/\/github.com\/erlang\/otp\/commit\/0769050c69d73762672b0db1347b6993a5b31759\\nhttps:\/\/github.com\/erlang\/otp\/commit\/fb67c6d1836f51105a96d8b769e71e4215a79457\\nhttps:\/\/github.com\/erlang\/otp\/commit\/21abed64eb2026b5f82f432709e4e932f9be389a”,”id”:”CVE-2026-42790″,”bulletinFamily”:””,”cwe”:[“CWE-295″,”CWE-297″],”cvelist”:null,”sourceData”:”Erlang OTP 1.4\\nErlang OTP 19.3\\nErlang OTP b0c245e8132bb13171e277b1af59c0cec00c9459″,”sourceHref”:””,”cvss”:{“score”:7.6,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:H\/AT:P\/PR:N\/UI:P\/VC:H\/VI:H\/VA:N\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”OTP”,”version”:”1.4″,”vendor”:”Erlang”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.\\n\\nTwo…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,63,12,15,13,7,11,5],"class_list":["post-57454","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-76","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n