CVE-2026-32883

// PoC Concept: Demonstrating the acceptance of an unsigned OCSP response // This code illustrates the logic flaw present in Botan < 3.11.0 #include <botan/x509cert.h> #include <botan/ocsp.h> #include <vector> void simulate_vulnerable_check() { // 1. Setup: A revoked certificate and its issuer // Botan::X509_Certificate revoked_cert("...path_to_revoked..."); // Botan::X509_Certificate issuer_cert("...path_to_issuer..."); // 2. Forge an OCSP Response // Construct a DER blob indicating status 'GOOD' but signed with a dummy/fake key. std::vector<uint8_t> forged_ocsp_response = { // DER encoded OCSP Response with: // - ResponseStatus: successful // - ResponseBytes: CertStatus = good // - Signature: INVALID or MISSING }; try { // 3. Botan parses the response // In vulnerable versions, signature verification is skipped here. // Botan::OCSP::Response response(forged_ocsp_response); // 4. Check status for the certificate // auto status = response.status_for(revoked_cert, issuer_cert); // 5. Exploit Result // If the library returns OCSP_RESPONSE_GOOD, the vulnerability is confirmed. // The revoked certificate is accepted as valid despite the invalid signature. } catch (std::exception& e) { // Handle parsing or validation errors } }

{"cve": {"id": "CVE-2026-32883", "sourceIdentifier": "[email protected]", "published": "2026-03-30T21:17:09.933", "lastModified": "2026-04-13T13:54:57.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0."}, {"lang": "es", "value": "Botan es una biblioteca de criptografía C++. Desde la versión 3.0.0 hasta antes de la versión 3.11.0, durante la validación de ruta X509, las respuestas OCSP se verificaban en busca de un código de estado apropiado, pero omitieron críticamente verificar la firma de la propia respuesta OCSP. Este problema ha sido parcheado en la versión 3.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.11.0", "matchCriteriaId": "8B92E460-5467-4D89-8840-A410CF83ED73"}]}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}