UBUNTU-CVE-2026-33896

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33896

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33896.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33896

Upstream

CVE-2026-33896

Published

2026-03-27T21:17:00Z

Modified

2026-04-16T11:00:05.949519Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

References

Affected packages

Ubuntu:20.04:LTS / node-node-forge

Package

Name: node-node-forge
Purl: pkg:deb/ubuntu/node-node-forge@0.9.1~dfsg-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.5~dfsg-2

0.9.1~dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.1~dfsg-1",
            "binary_name": "libjs-node-forge"
        },
        {
            "binary_version": "0.9.1~dfsg-1",
            "binary_name": "node-node-forge"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33896.json"

Ubuntu:22.04:LTS / node-node-forge