UBUNTU-CVE-2026-34580

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-34580

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-34580

Upstream

CVE-2026-34580

Published

2026-04-07T22:16:00Z

Modified

2026-05-20T16:25:34.058648671Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Botan is a C++ cryptography library. In 3.11.0, the function CertificateStore::certificateknown had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1.

References

Affected packages

Ubuntu:18.04:LTS

botan

Package

Name: botan
Purl: pkg:deb/ubuntu/botan?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.0-3

2.4.0-4

2.4.0-5ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "botan",
            "binary_version": "2.4.0-5ubuntu1"
        },
        {
            "binary_name": "libbotan-2-4",
            "binary_version": "2.4.0-5ubuntu1"
        },
        {
            "binary_name": "python3-botan",
            "binary_version": "2.4.0-5ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"

Ubuntu:20.04:LTS

botan

Package

Name: botan
Purl: pkg:deb/ubuntu/botan?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.0-2

2.9.0-2build1

2.12.1-2

2.12.1-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "botan",
            "binary_version": "2.12.1-2build1"
        },
        {
            "binary_name": "libbotan-2-12",
            "binary_version": "2.12.1-2build1"
        },
        {
            "binary_name": "python3-botan",
            "binary_version": "2.12.1-2build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"

Ubuntu:25.10

botan

Package

Name: botan
Purl: pkg:deb/ubuntu/botan?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.5+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libbotan-2-19",
            "binary_version": "2.19.5+dfsg-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"

botan3

Package

Name: botan3
Purl: pkg:deb/ubuntu/botan3?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.1+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "botan",
            "binary_version": "3.7.1+dfsg-2"
        },
        {
            "binary_name": "libbotan-3-7",
            "binary_version": "3.7.1+dfsg-2"
        },
        {
            "binary_name": "python3-botan",
            "binary_version": "3.7.1+dfsg-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"

Ubuntu:26.04:LTS

botan3

Package

Name: botan3
Purl: pkg:deb/ubuntu/botan3?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.1+dfsg-2

3.10.0+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "botan",
            "binary_version": "3.10.0+dfsg-2"
        },
        {
            "binary_name": "libbotan-3-10",
            "binary_version": "3.10.0+dfsg-2"
        },
        {
            "binary_name": "python3-botan",
            "binary_version": "3.10.0+dfsg-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"

Ubuntu:Pro:22.04:LTS

botan

Package

Name: botan
Purl: pkg:deb/ubuntu/botan?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.17.3+dfsg-3

2.19.1+dfsg-2ubuntu1

2.19.1+dfsg-2ubuntu1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "botan",
            "binary_version": "2.19.1+dfsg-2ubuntu1+esm1"
        },
        {
            "binary_name": "libbotan-2-19",
            "binary_version": "2.19.1+dfsg-2ubuntu1+esm1"
        },
        {
            "binary_name": "python3-botan",
            "binary_version": "2.19.1+dfsg-2ubuntu1+esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"

Ubuntu:Pro:24.04:LTS

botan

Package

Name: botan
Purl: pkg:deb/ubuntu/botan?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.3+dfsg-1ubuntu1

2.19.3+dfsg-1ubuntu2

2.19.3+dfsg-1ubuntu2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "botan",
            "binary_version": "2.19.3+dfsg-1ubuntu2+esm1"
        },
        {
            "binary_name": "libbotan-2-19",
            "binary_version": "2.19.3+dfsg-1ubuntu2+esm1"
        },
        {
            "binary_name": "python3-botan",
            "binary_version": "2.19.3+dfsg-1ubuntu2+esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34580.json"