CVE-2026-42013 Red Hat CVE debrief

Who should care

System administrators operating TLS-terminating services using GnuTLS, security teams managing PKI infrastructure, and developers integrating GnuTLS for certificate validation in applications.

Technical summary

The vulnerability occurs during X.509 certificate chain validation in GnuTLS. When processing a certificate containing an oversized Subject Alternative Name extension, the validation logic fails to properly handle the size condition and incorrectly falls back to validating against the Common Name field. This violates RFC 6125 guidance that SAN fields should take precedence over CN when present. An attacker could craft or obtain a certificate with a malformed SAN that triggers this fallback, then use CN-based hostname matching to impersonate a target domain. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N indicates network attack vector, low attack complexity, no privileges required, no user interaction, with high impact to integrity but limited confidentiality impact and no availability impact.

Defensive priority

HIGH

Recommended defensive actions

• Apply GnuTLS security updates when available from distribution maintainers
• Review TLS certificate validation configurations for systems using GnuTLS
• Monitor Red Hat Bugzilla 2467448 for patch availability and backport information
• Audit certificate chains for unusually large SAN fields in internal PKI deployments
• Enable certificate transparency logging where supported to detect anomalous certificate issuance

Evidence notes

CVE published 2026-05-26 with CVSS 3.1 score 8.2 (HIGH). Red Hat Bugzilla reference 2467448 filed. CWE-1284 (Improper Validation of Specified Quantity in Input) identified as primary weakness. Vendor attribution marked low confidence requiring review; Red Hat referenced as domain candidate.

Official resources