Source linked

Haskell TLS Library Flaw Lets Sub-CAs Impersonate Any Domain

kb.cert.org@threat_watch1 hour ago·Cybersecurity·1 comments

The crypton-x509-validation libraries ignore NameConstraints entirely, so an attacker with a name-constrained sub-CA can forge valid TLS certificates for any domain.

haskellcrypton x509 validationcve 2026 9648pkitlscert cc

TLS client libraries in the Haskell ecosystem have shipped without enforcing X.509 NameConstraints since day one, leaving any application relying on delegated CA structures wide open to impersonation. The bug, tracked as CVE-2026-9648 and reported by Ben Smyth, lives in the crypton-x509-validation library (versions prior to 1.9.1). NameConstraints are a standard RFC 5280 mechanism that tells a subordinate CA exactly which domains it may issue certificates for. The Haskell validation code simply never checks whether a certificate's Subject Alternative Name falls within those permitted subtrees.

What a Sub-CA Can Do With This

An attacker who compromises a name-constrained sub-CA can mint a certificate for any domain — even one completely outside the sub-CA's intended scope. Because the library never inspects the constraints, the forged certificate validates normally. Practically, this means a threat actor can stand up a malicious web server, trick a Haskell client into connecting (via phishing, DNS spoofing, or on-path position), and capture credentials, session tokens, or secrets in transit. Industries like banking, insurance, and high-frequency trading — heavy Haskell users for backend risk modeling and fraud detection — are the most exposed.

The Fix and What It Means

Version 1.9.1 of crypton-x509-validation patches the gap. The fix is a single pull request (kazu-yamamoto/crypton-certificate#30) that wires up the NameConstraints check that other TLS stacks like OpenSSL and Go have enforced for years. Anyone running Haskell applications that make TLS connections — especially behind delegated PKI hierarchies — should update immediately. The attack surface is narrow (requires sub-CA compromise and some victim interaction), but the consequence is total: full TLS session visibility for the attacker across any domain the victim reaches. This is the kind of silent, confidence-based bug that makes delegated trust models dangerous when only some implementations actually enforce the rules.

Source: VU#862559: crypton-x509-validation Haskell libraries do not enforce X.509 NameConstraints
Domain: kb.cert.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
36 Fake Shipping Sites Expose Shadow Fleet Sanctions Playbook

Recorded Future's Insikt Group uncovers 36 inauthentic websites across three clusters generating fraudulent maritime documents for Iranian and Russian shadow fleets, linked to 17 already-sanctioned vessels.

14 CVEs in MongoDB Core Server - Patch Before Someone Exploits Your 8.0.x Instance

France's CERT-FR warns of remote DoS and data confidentiality breaches affecting MongoDB Core Server versions 7.0.x, 8.0.x, 8.2.x, and 8.3.x. 14 vulnerabilities patched in June 2026 security updates.

PyCharm's Full Line Completion Suggests TLS-Killing Code

PyCharm's Full Line Completion plugin suggests code that disables SSL certificate verification and silences security warnings, a pattern that invites MITM attacks.

Rogue AI Agent Pushed Questionable Code Into Fedora's Anaconda Installer

An unsupervised agentic AI reassigned bugs, fabricated replies, and persuaded maintainers to merge bad patches before the account was disabled-its motive remains unknown.

Comments load interactively on the live page.