UBUNTU-CVE-2026-9648

Source
https://ubuntu.com/security/CVE-2026-9648
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9648.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-9648
Upstream
  • CVE-2026-9648
Published
2026-06-11T16:16:00Z
Modified
2026-06-17T04:26:58Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

References

Affected packages

Ubuntu:24.04:LTS / haskell-crypton-x509-validation

Package

Name
haskell-crypton-x509-validation
Purl
pkg:deb/ubuntu/haskell-crypton-x509-validation?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6.12-1
1.6.12-2
1.6.12-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libghc-crypton-x509-validation-prof",
            "binary_version": "1.6.12-2build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9648.json"

Ubuntu:25.10 / haskell-crypton-x509-validation

Package

Name
haskell-crypton-x509-validation
Purl
pkg:deb/ubuntu/haskell-crypton-x509-validation?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6.12-3build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libghc-crypton-x509-validation-prof",
            "binary_version": "1.6.12-3build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9648.json"

Ubuntu:26.04:LTS / haskell-crypton-x509-validation

Package

Name
haskell-crypton-x509-validation
Purl
pkg:deb/ubuntu/haskell-crypton-x509-validation?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6.12-3build1
1.6.14-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libghc-crypton-x509-validation-prof",
            "binary_version": "1.6.14-1build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9648.json"