ALPINE-CVE-2026-34582

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2026-34582

Import Source

https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-34582.json

JSON Data

https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-34582

Upstream

CVE-2026-34582

Published

2026-04-07T22:16:22.810Z

Modified

2026-06-15T18:18:11.210103616Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

References

https://security.alpinelinux.org/vuln/CVE-2026-34582

Affected packages

Alpine:v3.24 / botan3

Package

Name: botan3
Purl: pkg:apk/alpine/botan3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.11.1-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-34582.json"