CVE-2026-9648 high vulnerability summary
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This overs...
CVE-2026-9648 is listed by Tenable as a High severity CVE. The issue should be reviewed by teams that operate the affected software or dependencies.
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.
Recommended action
Confirm whether the affected product or library is present in your environment, review the vendor guidance, and apply the available update or mitigation where applicable.
This brief is based on information from Tenable Newest CVEs . Please refer to the original source for the complete advisory and vendor-specific guidance.
Related Posts
Critical Vulnerability in Oracle PeopleSoft Enterprise PeopleTools
About CSAInformation forAlerts & AdvisoriesNews & EventsLegislationOur ProgrammesResourcesHomeAlerts & AdvisoriesAlertsCritical Vulnerability in Oracle PeopleSoft Enterprise PeopleToolsAlertsCritical Vulnerability in Ora...
Critical Vulnerability in Fortinet FortiSandbox
About CSAInformation forAlerts & AdvisoriesNews & EventsLegislationOur ProgrammesResourcesHomeAlerts & AdvisoriesAlertsCritical Vulnerability in Fortinet FortiSandboxAlertsCritical Vulnerability in Fortinet FortiSandbox1...
Critical Vulnerabilities in Ivanti Sentry
About CSAInformation forAlerts & AdvisoriesNews & EventsLegislationOur ProgrammesResourcesHomeAlerts & AdvisoriesAlertsCritical Vulnerabilities in Ivanti SentryAlertsCritical Vulnerabilities in Ivanti Sentry12 June 2026