Description
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.

Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):

First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.

Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.

The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.

This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Published: 2026-05-27
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Erlang OTP’s public_key modules contain an improper certificate validation flaw that enables a DNS nameConstraints bypass through the subject CommonName fallback in TLS hostname verification. The vulnerability allows a subordinate CA whose certificate includes DNS‑based nameConstraints to issue a leaf certificate without a subjectAltName extension. Because the validation routine only checks SAN entries against the nameConstraints, a certificate lacking SAN trivially satisfies the constraint. The openSSL‑compatible hostname verifier then falls back to the CommonName when SAN is missing, accepting the leaf for the intended hostname. This can lead to authentication spoofing and man‑in‑the‑middle attacks, as clients think they are connected to a legitimate server while actually trusting a rogue certificate.

Affected Systems

The affected products are Erlang:OTP's OTP releases from 19.3 up to, but not including, 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1, which correspond to public_key versions 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.1. Any environment running these OTP or public_key versions is vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates moderate‑to‑high severity and the lack of an EPSS rating means the exact exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a TLS client that uses the stock ssl:connect with verify_peer, a trusted CA, and SNI, as well as a strict https hostname matcher. The likely attack vector is an attacker controlling a server that presents a crafted certificate chain; the OTP client will then accept the rogue certificate and establish a trust relationship, enabling impersonation of the target domain. Because the flaw only affects clients, it does not provide remote code execution, but it undermines authentication and confidentiality.

Generated by OpenCVE AI on May 27, 2026 at 19:38 UTC.

Remediation

Vendor Workaround

The verify_fun option in the ssl application can be used to ensure that TLS connections fail if the end-entity certificate is missing the subjectAltName extension or has no domain name. Do not use a verify_fun that accepts the name_not_permitted error.

OpenCVE Recommended Actions

  • Upgrade to a fixed Erlang OTP release (26.2.5.21 or later) that incorporates the public_key patch
  • Configure the ssl application with a verify_fun that rejects certificates missing a subjectAltName or that return a name_not_permitted error
  • Ensure all server certificates include a subjectAltName extension for DNS names and avoid relying on CommonName for hostname verification

Generated by OpenCVE AI on May 27, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Thu, 28 May 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Erlang erlang/otp
Erlang otp
Vendors & Products Erlang erlang/otp
Erlang otp

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.
Title nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-295
CWE-297
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang/otp Erlang\/otp Otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-28T04:39:17.033Z

Reserved: 2026-04-29T18:06:33.251Z

Link: CVE-2026-42790

cve-icon Vulnrichment

Updated: 2026-05-27T17:31:58.755Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:36.030

Modified: 2026-06-02T14:24:15.540

Link: CVE-2026-42790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-295

    Improper Certificate Validation

  • CWE-297

    Improper Validation of Certificate with Host Mismatch