Cyber Posture

CVE-2026-42013

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 26 May 2026

Published
26 May 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0003 10.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42013 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
Why these techniques?

Oversized SAN flaw directly bypasses cert validation in gnutls, enabling spoofing/MITM as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper…

more

certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-1284

EU & UK References

References