Skip to main content

CISA issues guidance on crypton-x509-validation NameConstraints failure

June 11, 2026

A vulnerability in the crypton-x509-validation libraries within the Haskell TLS software stack can allow an attacker with access to a sub-CA to create certificates that validate with Haskell TLS connections. The issue relates to X.509 NameConstraints not being enforced, which can enable full session visibility for the attacker.

The vulnerability is tracked as CVE-2026-9648. The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. The description also states that an attacker who compromises a name-constrained sub-CA can impersonate domains beyond its intended scope, and that NameConstraints tell a CA which domains it is allowed to issue certificates for. The guidance states that the crypton-x509-validation library, which handles certificate validation in Haskell’s TLS connections, ignores NameConstraints entirely and never checks whether a certificate’s Subject Alternative Name falls within what the issuing CA is permitted to cover. It further states that vulnerable parties should update their libraries to version 1.9.1, and that all version prior are vulnerable. The overview also states that this enables an attacker to access full session visibility and that the attacker can create a certificate including a SAN for a protected domain, trick Haskell clients into accepting it, and set up a web server presenting the malicious CA to track Haskell clients and capture credentials or sensitive data transferred during the process.

An attacker that successfully exploits CVE-2026-9648 can capture any traffic sent between a Haskell client and the attacker’s server, potentially leading to access to sensitive financial information, credential theft, and secret theft. The document also states that the vulnerability is likely to affect industries that use delegated PKI structures, including structures that allow delegated systems to create and assign their own CAs, and notes this is typical in banks or other financial industries.

The vulnerability requires considerable setup and victim interaction in order to be successful. The stated solution is to update to version 1.9.1 of the crypton-x509-validation libraries as soon as possible, since all version prior are vulnerable.

Names and contributor information included in the document include a reporter credited as Ben Smyth and a document written by Christopher Cullen. References listed in the advisory include a pull request change page for kazu-yamamoto/crypton-certificate and revisions pages on hackage.haskell.org for crypton-x509-validation-1.9.1, along with pull requests on github.com/haskell/security-advisories.