HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-9648Published Modified CNA certcc

CVE-2026-9648: CVE-2026-9648

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
1.9.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in the crypton-x509-validation Haskell library (crypton-certificate versions before 1.9.1) allows TLS clients to silently accept certificates whose Subject Alternative Names fall outside a sub-CA's NameConstraints. The flaw is reachable over the network with no authentication required and no user interaction needed. Successful exploitation lets an attacker who has compromised a name-constrained sub-CA impersonate arbitrary domains, enabling man-in-the-middle attacks against encrypted traffic. A patched-image rebuild at version 1.9.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that vendor or bundle the crypton-certificate library directly.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and is capable of weighting that score against each environment's compliance policy to surface or suppress the finding according to defined thresholds. Routing to the appropriate team inbox within a customer org is handled automatically based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at crypton-certificate 1.9.1 becomes available through HarborGuard once an affected image is identified. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the vulnerable TLS client over the network; the library is exposed whenever an application initiates or validates TLS connections to remote endpoints.

  • AuthenticationNot required

    No credentials or account are needed; the attacker only needs to present a crafted certificate during the TLS handshake.

  • Victim interactionNot required

    No user action is required; exploitation occurs passively during normal TLS connection establishment by the affected library.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free once the attacker controls a name-constrained sub-CA or can position themselves to present a crafted certificate.

Blast Radius

  • Attacker impersonates arbitrary domains beyond the sub-CA's permitted scope, intercepting or reading plaintext from TLS-protected connections the client believes are authenticated.
  • Attacker modifies in-transit data exchanged over those impersonated TLS sessions, injecting commands, responses, or payloads without detection by the client.
  • Trust anchors and certificate pinning logic built on top of the affected library are bypassed, undermining downstream security controls that rely on correct NameConstraints enforcement.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9648 is active across all connected registries and pipelines, matching any image that bundles crypton-certificate below version 1.9.1, including images where the library is statically linked or copied into a custom base layer. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image against crypton-certificate 1.9.1, executes the configured regression suite, and opens a pull request against the affected workload; for Critical-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with full image provenance details so engineers can trigger a manual rebuild. As an interim compensating control, consider applying network policy to restrict which services can initiate outbound TLS connections through the affected library, reducing the blast radius while a rebuild is prepared.

See how HarborGuard automates this

Fix available

1.9.1
Affected packages
  • Haskell Programming Language / crypton-certificate
    < 1.9.1 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References