CVE-2026-42011

High

Published: 07 May 2026

Published

07 May 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0002 6.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate…

validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-19 Component Authenticity

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

SC-17 Public Key Infrastructure Certificates

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

SC-45 System Time Synchronization

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-295

References

https://access.redhat.com/security/cve/CVE-2026-42011
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2467437
secalert@redhat.com