PatchSiren cyber security CVE debrief

CVE-2026-9648 Haskell Programming Language CVE debrief

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Vendor: Haskell Programming Language
Product: crypton-certificate
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-11
Advisory published: 2026-06-11
Advisory updated: 2026-06-11

Who should care

Users of the crypton-x509-validation Haskell library, particularly those involved in certificate validation and TLS communications.

Technical summary

The library's failure to enforce X.509 NameConstraints allows for potential impersonation attacks by compromising a name-constrained sub-CA.

Defensive priority

High

Recommended defensive actions

Update to the latest version of the crypton-x509-validation library.
Review and update certificate validation processes to ensure proper enforcement of X.509 NameConstraints.

Evidence notes

The CVE-2026-9648 record indicates a critical vulnerability in the crypton-x509-validation library with a CVSS score of 9.1.

Official resources

CVE-2026-9648 CVE record
CVE.org
CVE-2026-9648 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

CVE-2026-9648 was published on 2026-06-11T16:16:25.503Z and modified on 2026-06-11T21:02:34.917Z.