PatchSiren cyber security CVE debrief

CVE-2026-3833 Red Hat CVE debrief

A case-sensitivity flaw in GnuTLS nameConstraints validation allows certificate policy bypass. The vulnerability stems from case-sensitive comparison of dNSName and rfc822Name constraints in excludedSubtrees or permittedSubtrees, enabling attackers to craft leaf certificates with casing variations that evade rejection. This affects certificate chain validation in applications relying on GnuTLS for TLS/SSL authentication, potentially permitting unauthorized access when name constraints should block a certificate. The issue was disclosed in April 2026 and modified in late May 2026. Red Hat has issued security advisories for multiple Enterprise Linux versions and OpenShift Container Platform. The upstream GnuTLS project has tracked this issue and classified it as exploitable.

Vendor: Red Hat
Product: Red Hat Enterprise Linux 8
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-30
Original CVE updated: 2026-05-27
Advisory published: 2026-04-30
Advisory updated: 2026-05-27

Who should care

Organizations operating PKI infrastructure with name constraints, enterprises using GnuTLS for TLS termination or client authentication, certificate authorities implementing constrained subordinate CAs, and security teams responsible for certificate policy enforcement in Linux environments

Technical summary

GnuTLS performs case-sensitive string comparisons when evaluating nameConstraints extensions for dNSName and rfc822Name constraints. Per RFC 5280, DNS hostnames and email addresses should be treated case-insensitively in certificate processing. An attacker obtaining a certificate from a subordinate CA with name constraints can craft a leaf certificate with alternative casing in the Subject Alternative Name (e.g., 'Example.COM' vs 'example.com') that bypasses excludedSubtrees restrictions or evades permittedSubtrees requirements. This violates the intended certificate policy boundary, potentially allowing authentication to systems that should reject the certificate based on name constraint policies. The vulnerability affects GnuTLS across all versions and Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4.0, and hardened images.

Defensive priority

medium

Recommended defensive actions

Apply Red Hat security advisories RHSA-2026:13274 and RHSA-2026:20611 when available for affected Enterprise Linux and OpenShift deployments
Update GnuTLS to patched versions provided by distribution maintainers
Review certificate validation implementations for reliance on nameConstraints with DNS or email constraints
Monitor certificate chains for leaf certificates employing casing variations in SAN fields that may indicate exploitation attempts
Validate that certificate policy enforcement correctly handles case-insensitive domain and email comparisons per RFC 5280 requirements

Evidence notes

Case-sensitivity bypass in nameConstraints validation confirmed through Red Hat and GnuTLS issue tracking. CWE-178 (Incorrect Case Sensitivity) assigned. CVSS 6.5 (Medium) reflects network attack vector with low complexity, no privileges required, and partial confidentiality/integrity impact.

Official resources

CVE-2026-3833 CVE record
CVE.org
CVE-2026-3833 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Vendor Advisory

2026-04-30