{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["pubkey_cert","public_key"],"packageName":"public_key","packageURL":"pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git","product":"OTP","programFiles":["src/pubkey_cert.erl","src/public_key.erl"],"programRoutines":[{"name":"pubkey_cert:validate_names/6"},{"name":"public_key:pkix_verify_hostname/3"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"1.15.1.7","status":"unaffected"},{"at":"1.17.1.3","status":"unaffected"},{"at":"1.20.3.1","status":"unaffected"},{"at":"1.21.1","status":"unaffected"}],"lessThan":"*","status":"affected","version":"1.4","versionType":"otp"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["pubkey_cert","public_key"],"packageName":"erlang/otp","packageURL":"pkg:github/erlang/otp","product":"OTP","programFiles":["lib/public_key/src/pubkey_cert.erl","lib/public_key/src/public_key.erl"],"programRoutines":[{"name":"pubkey_cert:validate_names/6"},{"name":"public_key:pkix_verify_hostname/3"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"26.2.5.21","status":"unaffected"},{"at":"27.3.4.12","status":"unaffected"},{"at":"28.5.0.1","status":"unaffected"},{"at":"29.0.1","status":"unaffected"}],"lessThan":"*","status":"affected","version":"19.3","versionType":"otp"},{"changes":[{"at":"0769050c69d73762672b0db1347b6993a5b31759","status":"unaffected"},{"at":"fb67c6d1836f51105a96d8b769e71e4215a79457","status":"unaffected"},{"at":"21abed64eb2026b5f82f432709e4e932f9be389a","status":"unaffected"}],"lessThan":"*","status":"affected","version":"b0c245e8132bb13171e277b1af59c0cec00c9459","versionType":"git"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"26.2.5.21","versionStartIncluding":"19.3","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"27.3.4.12","versionStartIncluding":"27.0","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"28.5.0.1","versionStartIncluding":"28.0","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"29.0.1","versionStartIncluding":"29.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"John Downey"},{"lang":"en","type":"remediation developer","value":"Ingela Anderton Andin"},{"lang":"en","type":"remediation reviewer","value":"Dan Gudmundsson"},{"lang":"en","type":"remediation reviewer","value":"Jakub Witczak"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Certificate Validation vulnerability in Erlang OTP <tt>public_key</tt> (<tt>pubkey_cert</tt> and <tt>public_key</tt> modules) allows a DNS <tt>nameConstraints</tt> bypass via subject CommonName fallback in TLS hostname verification.<p>Two flaws combine to allow a subordinate CA whose DNS <tt>nameConstraints</tt> are restricted (e.g. <tt>permitted;DNS:allowed.example.com</tt>) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. <tt>victim.example.com</tt>):</p><p>First, <tt>pubkey_cert:validate_names/6</tt> in <tt>lib/public_key/src/pubkey_cert.erl</tt> only checks SAN DNS entries against <tt>nameConstraints</tt>. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no <tt>subjectAltName</tt> therefore trivially satisfies any <tt>permitted;DNS:...</tt> constraint regardless of its subject <tt>commonName</tt>.</p><p>Second, <tt>public_key:pkix_verify_hostname/3</tt> in <tt>lib/public_key/src/public_key.erl</tt> falls back to the subject <tt>commonName</tt> when no <tt>subjectAltName</tt> is present, extracting <tt>id-at-commonName</tt> attributes as presented IDs and matching them against the reference hostname. The strict <tt>pkix_verify_hostname_match_fun(https)</tt> matcher does not suppress this fallback.</p><p>The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the <tt>nameConstraints</tt> are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock <tt>ssl:connect</tt> with <tt>verify_peer</tt>, a trusted CA, SNI, and the canonical strict <tt>https</tt> hostname matcher.</p><p>This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to <tt>public_key</tt> from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.</p>"}],"value":"Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.\n\nTwo flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):\n\nFirst, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.\n\nSecond, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.\n\nThe result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.\n\nThis issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1."}],"impacts":[{"capecId":"CAPEC-475","descriptions":[{"lang":"en","value":"CAPEC-475 Signature Spoofing by Improper Validation"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":7.6,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-295","description":"CWE-295 Improper Certificate Validation","lang":"en","type":"CWE"},{"cweId":"CWE-297","description":"CWE-297 Improper Validation of Certificate with Host Mismatch","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-27T15:41:09.137Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-42790.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-42790"},{"tags":["x_version-scheme"],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a"}],"source":{"discovery":"EXTERNAL"},"title":"nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The <tt>verify_fun</tt> option in the <tt>ssl</tt> application can be used to ensure that TLS connections fail if the end-entity certificate is missing the <tt>subjectAltName</tt> extension or has no domain name. Do not use a <tt>verify_fun</tt> that accepts the <tt>name_not_permitted</tt> error."}],"value":"The verify_fun option in the ssl application can be used to ensure that TLS connections fail if the end-entity certificate is missing the subjectAltName extension or has no domain name. Do not use a verify_fun that accepts the name_not_permitted error."}],"x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-42790","datePublished":"2026-05-27T15:09:01.860Z","dateReserved":"2026-04-29T18:06:33.251Z","dateUpdated":"2026-05-27T15:41:09.137Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}