PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34580 Botan Project CVE debrief

CVE-2026-34580 is a critical vulnerability in the Botan C++ cryptography library, specifically in version 3.11.0. The vulnerability allows an end entity to be accepted as a trusted root if its DN and subject key identifier match that of a trusted root. This issue arises from a misleading function name 'certificate_known' which was used in an extension of path validation logic. The impact of this vulnerability is that an attacker could potentially use an end entity certificate as if it were a trusted root, leading to a complete compromise of the certificate validation process. The vulnerability has been fixed in version 3.11.1 of the Botan library. Users of the library are advised to upgrade to the latest version to mitigate this vulnerability.

Vendor
Botan Project
Product
Botan
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-07
Original CVE updated
2026-06-30
Advisory published
2026-04-07
Advisory updated
2026-06-30

Who should care

Organizations and developers using the Botan C++ cryptography library, especially those relying on certificate validation for secure communication, should be aware of this vulnerability. This includes but is not limited to, entities using Botan for SSL/TLS, code signing, or other cryptographic purposes. Given the critical nature of this vulnerability, immediate attention is required to ensure the security of systems and applications that depend on Botan for cryptographic operations.

Technical summary

The Botan C++ cryptography library, in version 3.11.0, contains a critical vulnerability identified as CVE-2026-34580. This vulnerability stems from a misleadingly named function, 'certificate_known', which is used in the library's certificate validation process. The function, contrary to its name, does not verify if the provided certificate is identical to one in the trusted store but rather checks if any certificate in the store has a matching DN and subject key identifier. An extension to the path validation logic, introduced in version 3.11.0, incorrectly assumed that 'certificate_known' only returned true for identical certificates. Consequently, if an end entity certificate's DN and subject key identifier match those of a trusted root, it can be accepted as a trusted root, bypassing proper validation. This vulnerability has a CVSS score of 9.3, indicating a critical severity level. The issue has been addressed in Botan version 3.11.1.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Botan version 3.11.1 or later to fix the vulnerability.
  • Review and update certificate validation logic in systems and applications using Botan to ensure they are not relying on the flawed 'certificate_known' function.
  • Implement additional monitoring and validation checks for certificates to mitigate the risk until upgrade.
  • Inventory and assess the impact on systems and applications that use Botan for cryptographic operations.
  • Consider compensating controls, such as enhanced certificate validation or revocation checks, until the upgrade can be completed.

Evidence notes

The CVE-2026-34580 vulnerability was publicly disclosed on April 7, 2026, and has since been modified on June 30, 2026, to reflect additional details. The vulnerability was identified in the Botan C++ cryptography library, version 3.11.0. The issue arises from a function named 'certificate_known' which does not perform as its name suggests, leading to a critical vulnerability in certificate validation. The CVSS score for this vulnerability is 9.3, indicating critical severity. The vulnerability has been fixed in Botan version 3.11.1.

Official resources

This article is AI-assisted and based on the supplied source corpus.