CVE-2026-42013
Publication date 30 April 2026
Last updated 27 May 2026
Ubuntu priority
Description
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| gnutls28 | 26.04 LTS resolute |
Fixed 3.8.12-2ubuntu1.1
|
| 25.10 questing |
Fixed 3.8.9-3ubuntu2.2
|
|
| 24.04 LTS noble |
Fixed 3.8.3-1.1ubuntu3.6
|
|
| 22.04 LTS jammy |
Fixed 3.7.3-4ubuntu1.9
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.2 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8284-1
- GnuTLS vulnerabilities
- 20 May 2026