Is CVE-2026-32884 actively exploited?

CVE-2026-32884 has no public evidence of in-the-wild exploitation as of 2026-04-13.

What is the CVSS score for CVE-2026-32884?

CVE-2026-32884 has a CVSS score of 5.9 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N.

How do I patch CVE-2026-32884?

Patch guidance is available from botan project security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-32884.

Which products are affected by CVE-2026-32884?

1 product: botan project botan.

CVE-2026-32884 - remediation guidance & executive summary

Description

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector: network
Complexity: high
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none
Weaknesses: CWE-295

Metadata

Primary Vendor: BOTAN_PROJECT
Published: 3/30/2026
Last Modified: 4/13/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-32884

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary