CVE-2026-3833

MEDIUM
Published Apr 30, 2026 Modified May 7, 2026 CWE-178

Description

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

CVSS v3.1 Score

6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS — Exploit Prediction

0.0010
Probability of exploitation
0.27%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-178 CWE-178

Affected Products

Vendor Product
gnu gnutls
redhat hardened_images
redhat openshift_container_platform
redhat enterprise_linux
redhat enterprise_linux
redhat enterprise_linux
redhat enterprise_linux
redhat enterprise_linux

References

Frequently Asked Questions

What is CVE-2026-3833? +
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. It has a CVSS v3.1 base score of 6.5 (MEDIUM).
How severe is CVE-2026-3833? +
CVE-2026-3833 has a CVSS v3.1 score of 6.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0010, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-3833? +
CVE-2026-3833 affects products from gnu, redhat, specifically: enterprise_linux, gnutls, hardened_images, openshift_container_platform. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-3833? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-42272

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded …
CVE-2025-67718

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain …
CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host …
CVE-2026-40453 9.9

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside …
CVE-2026-47323 9.8

Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy …
CVE-2024-5699 9.8

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-3833 — free, no signup required.

Start Free Scan