{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-9648: CVE-2026-9648","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-9648","status":"final","version":"1","initial_release_date":"2026-06-11T14:30:30.800Z","current_release_date":"2026-06-11T15:39:31.210Z","revision_history":[{"date":"2026-06-11T14:30:30.800Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-9648 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-9648"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-9648"},{"category":"external","summary":"github.com","url":"https://github.com/kazu-yamamoto/crypton-certificate/pull/30"},{"category":"external","summary":"github.com","url":"https://github.com/kazu-yamamoto/crypton-certificate/pull/30/changes/f4b77edf6ead77f4a886da40e41eab20f0180e39"},{"category":"external","summary":"hackage.haskell.org","url":"https://hackage.haskell.org/package/crypton-x509-validation-1.9.1/revisions/"},{"category":"external","summary":"github.com","url":"https://github.com/haskell/security-advisories/pull/332"}]},"product_tree":{"branches":[{"category":"vendor","name":"Haskell Programming Language","branches":[{"category":"product_name","name":"crypton-certificate","branches":[{"category":"product_version_range","name":"<1.9.1","product":{"name":"Haskell Programming Language crypton-certificate <1.9.1","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:haskell_programming_language:crypton-certificate:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-9648","title":"CVE-2026-9648","notes":[{"category":"description","text":"The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 1.9.1.","product_ids":["CSAFPID-1"]}]}]}