CVE-2026-32884Improper Certificate Validation in Botan

CWE-295Improper Certificate ValidationCWE-178Improper Handling of Case Sensitivity14 documents6 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 94.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Randombit BotanBotan Project BotanDebian Botan+1 more
Timeline
PublishedMar 30
Latest updateApr 1

Description

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.C

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

debiandebian/botan< botan3 3.11.0+dfsg-2 (sid)
debiandebian/botan3< botan3 3.11.0+dfsg-2 (sid)
CVEListV5randombit/botan< 3.11.0
NVDbotan_project/botan< 3.11.0

🔴Vulnerability Details

1
OSV
CVE-2026-32884: Botan is a C++ cryptography library2026-03-30

📋Vendor Advisories

2
Red Hat
Botan: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates2026-03-30
Debian
CVE-2026-32884: botan - Botan is a C++ cryptography library. Prior to version 3.11.0, during processing ...2026

🕵️Threat Intelligence

5
Wiz
CVE-2026-34582 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32884 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32877 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34580 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32883 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

5
Bugzilla
CVE-2026-32884 botan2: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates [fedora-42]2026-04-01
Bugzilla
CVE-2026-32884 botan3: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates [epel-all]2026-04-01
Bugzilla
CVE-2026-32884 botan2: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates [fedora-43]2026-04-01
Bugzilla
CVE-2026-32884 botan2: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates [epel-all]2026-04-01
Bugzilla
CVE-2026-32884 Botan: Botan: Certificate validation bypass due to mixed-case Common Name in X.509 certificates2026-03-30