Description
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from gnutls performing case‑sensitive comparisons of the nameConstraints field when evaluating DNS or email constraints in excludedSubtrees or permittedSubtrees. An attacker can craft a leaf certificate whose subject alternate names use different casing, causing the constraint check to be bypassed and a certificate that should be rejected to be accepted, potentially leading to unauthorized access or information disclosure.

Affected Systems

The flaw is present in Red Hat Enterprise Linux releases 6 through 10, the Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. These systems ship the affected gnutls libraries that lack the necessary case‑insensitive validation.

Risk and Exploitability

The CVSS score of 6.5 marks this flaw as a moderate‑severity risk, and it is not yet listed in the CISA KEV catalog. EPSS information is unavailable, so the current exploitation probability is unknown. The attack requires an attacker able to supply a rogue certificate to a TLS endpoint that uses gnutls; the vulnerability is typically exploitable over network services that perform client authentication or validate server certificates. Because the bypass is purely a policy validation issue, it does not involve arbitrary code execution but can grant trust to an otherwise disallowed certificate, enabling credential compromise or man‑in‑the‑middle techniques.

Generated by OpenCVE AI on May 1, 2026 at 05:07 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Upgrade to the latest Red Hat Enterprise Linux or OpenShift release that includes the fixed gnutls library.
  • Configure services to perform explicit SAN checks and enforce case‑insensitive validation in application logic where possible.
  • Continuously monitor TLS authentication logs for certificates that appear to violate policy constraints and audit for potential unauthorized access.

Generated by OpenCVE AI on May 1, 2026 at 05:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Redhat openshift Container Platform
Vendors & Products Redhat hardened Images
Redhat openshift Container Platform

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 30 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
Title Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-178
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-30T18:37:57.245Z

Reserved: 2026-03-09T14:00:51.698Z

Link: CVE-2026-3833

cve-icon Vulnrichment

Updated: 2026-04-30T18:37:51.941Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T18:16:30.577

Modified: 2026-04-30T19:16:09.663

Link: CVE-2026-3833

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-30T17:26:28Z

Links: CVE-2026-3833 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:12Z

Weaknesses