FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Erlang/OTP -- TLS hostname verification bypass via Subject CommonName fallback and name constraints

Affected packages
19.3 <= erlang < 26.2.5.21,4
erlang-runtime27 < 27.3.4.12
erlang-runtime28 < 28.5.0.1
erlang-runtime29 < 29.0.1

Details

VuXML ID 93576148-5a54-11f1-b886-4c526214c986
Discovery 2026-05-27
Entry 2026-05-28

https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447 reports:

Erlang/OTP's TLS hostname verification implements a legacy RFC 6125 fallback that checks the Subject CommonName when the Subject Alternative Name (SAN) extension is absent, rather than following RFC 9525 which requires validation to fail without SAN. Combined with weak handling of X.509 Name Constraints, this enables man-in-the-middle attacks when an attacker controls a DNS-constrained sub-CA and can intercept network traffic, allowing forgery of certificates for unauthorized domains.

[source]

References

CVE Name CVE-2026-42790
URL https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.