FKIE_CVE-2026-32144

Vulnerability from fkie_nvd - Published: 2026-04-07 13:16 - Updated: 2026-04-23 17:32
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.
References
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://cna.erlef.org/cves/CVE-2026-32144.htmlMitigation, Vendor Advisory
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0Patch
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891Patch
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xmMitigation, Third Party Advisory
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://osv.dev/vulnerability/EEF-CVE-2026-32144Third Party Advisory
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://www.erlang.org/doc/system/versions.html#order-of-versionsVendor Advisory
Impacted products
Vendor Product Version
erlang erlang\/otp *
erlang erlang\/otp *
erlang erlang\/public_key *
erlang erlang\/public_key *
erlang erlang\/ssl *
erlang erlang\/ssl *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2771D519-4124-4D3F-A8E0-3E4704973B3E",
              "versionEndExcluding": "27.3.4.10",
              "versionStartIncluding": "27.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2E111DA-579A-438F-A2FF-5799B01AF401",
              "versionEndExcluding": "28.4.2",
              "versionStartIncluding": "28.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:erlang:erlang\\/public_key:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "459DB53B-9049-48D3-86F9-5CB3286BDCFB",
              "versionEndExcluding": "1.17.1.2",
              "versionStartIncluding": "1.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:erlang:erlang\\/public_key:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F0812B0-29FA-4EAB-B557-5FB6C8D2D581",
              "versionEndExcluding": "1.20.3",
              "versionStartIncluding": "1.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:erlang:erlang\\/ssl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDA65CE8-5C84-4EAE-8709-44240FB9E2A1",
              "versionEndExcluding": "11.2.12.7",
              "versionStartIncluding": "11.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:erlang:erlang\\/ssl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C64F6749-FB4F-4757-B9B9-540612B69606",
              "versionEndExcluding": "11.5.4",
              "versionStartExcluding": "11.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\n\nThe OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\n\nThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.\n\nThis vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.\n\nThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7."
    }
  ],
  "id": "CVE-2026-32144",
  "lastModified": "2026-04-23T17:32:55.830",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T13:16:46.570",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://cna.erlef.org/cves/CVE-2026-32144.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32144"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.