Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1338

NIXPKGS-2026-1338
published on
Permalink CVE-2026-3833
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 6 days, 15 hours ago by @LeSuisse Activity log
  • Created suggestion 1 week ago
  • @LeSuisse ignored
    4 packages
    • guile-gnutls
    • python312Packages.python3-gnutls
    • python313Packages.python3-gnutls
    • python314Packages.python3-gnutls
    6 days, 15 hours ago
  • @LeSuisse ignored maintainer @vcunat 6 days, 15 hours ago maintainer.ignore
  • @LeSuisse ignored
    2 references
    6 days, 15 hours ago
  • @LeSuisse accepted 6 days, 15 hours ago
  • @LeSuisse published on GitHub 6 days, 15 hours ago
Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

References

Ignored references (2)

Affected products

rhcos
gnutls

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Ignored maintainers (1)