Vulnerability-Lookup

CVE-2026-45388 (GCVE-0-2026-45388)

Vulnerability from cvelistv5 – Published: 2026-06-15 00:00 – Updated: 2026-06-16 13:57

Summary

In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

n/a
CWE-295 - Improper Certificate Validation

Assigner

mitre

References

1 reference

URL	Tags
https://osv.dev/vulnerability/OSEC-2026-06

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-45388",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T13:53:50.818352Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-295",
                "description": "CWE-295 Improper Certificate Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T13:57:42.571Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://osv.dev/vulnerability/OSEC-2026-06"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T18:52:25.782Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://osv.dev/vulnerability/OSEC-2026-06"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-45388",
    "datePublished": "2026-06-15T00:00:00.000Z",
    "dateReserved": "2026-05-12T00:00:00.000Z",
    "dateUpdated": "2026-06-16T13:57:42.571Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45388",
      "date": "2026-06-19",
      "epss": "0.00313",
      "percentile": "0.2289"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45388\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2026-06-15T20:16:28.350\",\"lastModified\":\"2026-06-16T15:35:16.600\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"references\":[{\"url\":\"https://osv.dev/vulnerability/OSEC-2026-06\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://osv.dev/vulnerability/OSEC-2026-06\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45388\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-16T13:53:50.818352Z\"}}}], \"references\": [{\"url\": \"https://osv.dev/vulnerability/OSEC-2026-06\", \"tags\": [\"exploit\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-16T13:52:20.350Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://osv.dev/vulnerability/OSEC-2026-06\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-06-15T18:52:25.782Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45388\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-16T13:57:42.571Z\", \"dateReserved\": \"2026-05-12T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2026-06-15T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45388

Vulnerability from fkie_nvd - Published: 2026-06-15 20:16 - Updated: 2026-06-17 10:51

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	cve@mitre.org	https://osv.dev/vulnerability/OSEC-2026-06
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://osv.dev/vulnerability/OSEC-2026-06

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "source": "cve@mitre.org"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage)."
    }
  ],
  "id": "CVE-2026-45388",
  "lastModified": "2026-06-17T10:51:59.727",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-45388",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-16T13:53:50.818352Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-15T20:16:28.350",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://osv.dev/vulnerability/OSEC-2026-06"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://osv.dev/vulnerability/OSEC-2026-06"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-RRGX-WGV5-5HF9

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-16 15:33

Details

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-45388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T20:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).",
  "id": "GHSA-rrgx-wgv5-5hf9",
  "modified": "2026-06-16T15:33:47Z",
  "published": "2026-06-15T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45388"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/OSEC-2026-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

osec-2026-06

Vulnerability from osv_ocaml

Published

2026-05-20 13:50

Modified

2026-05-20 13:50

Summary

TLS-client (with TLS 1.3) does insufficient certificate checks (missing KeyUsage and ExtendedKeyUsage validation)

Details

The ocaml-TLS 1.3 client does not validate the KeyUsage and ExtendedKeyUsage extensions of the server certificate. This can lead to impersonation with a certificate issued to a client.

Scenario

Every employee at a major bank carries a smart card. The card holds a clientAuth certificate issued by the bank's corporate PKI: identifying the employee for VPN, for badge access, for signing emails. The certificate's Extended Key Usage field marks it "TLS client, not TLS server" — the bank's own CA states what the cert may and may not do. To an ocaml-tls TLS 1.3 client, the marking is invisible. A laptop pulled from a desk, a smart card left in a coffee shop, malware on a workstation — anyone holding any clientAuth cert from any CA in the trust store, with a SAN naming a hostname an ocaml-tls client connects to, impersonates that hostname as a TLS 1.3 server. The same hole catches public-CA misissuance, codeSigning certs with DNS SANs, S/MIME certs with DNS SANs. Any cert in any non-server class becomes a TLS 1.3 server cert.

RFC 5280 §4.2.1.12 binds a cert with an Extended Key Usage extension to the indicated purposes; RFC 8446 §4.4.2.4 carries the constraint into TLS 1.3. ocaml-tls enforces it on its TLS 1.2 path — validate_keyusage in handshake_client.ml:201 checks for Server_auth, wired to answer_certificate_RSA and answer_certificate_DHE. When TLS 1.3 was added, a separate answer_certificate was written in handshake_client13.ml; the EKU check was not ported.

Detailed description

ocaml-tls clients complete the TLS 1.3 handshake with a server presenting a leaf certificate whose Extended Key Usage extension omits id-kp-serverAuth (OID 1.3.6.1.5.5.7.3.1). The probe leaf carries id-kp-clientAuth (1.3.6.1.5.5.7.3.2) and id-kp-codeSigning (1.3.6.1.5.5.7.3.3) only — the cert was issued by its CA for purposes other than TLS server authentication. ocaml-tls accepts the cert, completes ECDHE, verifies CertificateVerify, and delivers application data.

The library has the correct EKU check, in handshake_client.ml:201:validate_keyusage. The TLS 1.3 entry point in handshake_client13.ml:answer_certificate is simply not wired to it. TLS 1.2 handshakes through answer_certificate_RSA and answer_certificate_DHE correctly reject a non-serverAuth cert; the same library accepts it on the TLS 1.3 path.

A sibling finding reports the same class of gap for the KeyUsage extension.

Attack

Numbered attack sequence:

Attacker obtains a leaf cert from any CA in the victim's trust store, with EKU including any of clientAuth, codeSigning, emailProtection, etc. — and excluding serverAuth. Practical sources: commercial S/MIME CAs, code-signing CAs, internal corporate PKI that issues clientAuth certs, public-CA misissuance.
Attacker stands up a TLS 1.3 server with that cert and binds the leaf's SAN hostname to a network position the victim's client will reach (DNS spoof, BGP hijack, captive portal, off-path redirect).
ocaml-tls 1.3 client opens a handshake. Server presents the non-serverAuth cert in its Certificate message.
validate_chain returns Ok. The TLS 1.3 path advances toAwaitServerCertificateVerify13 without checking EKU.
CertificateVerify is signed correctly (attacker holds the leaf's private key); signature verifies.
Handshake completes. Application data flows over the attacker-authenticated session.

ASCII trace:

Attacker                     ocaml-tls client
--------                     ----------------
(holds a cert issued with
 EKU=clientAuth + codeSigning
 from a CA the victim trusts)
ServerHello ------------->
Certificate(EKU=¬serverAuth) -> validate_chain → Ok
CertificateVerify ---------> signature OK
Finished ----------------->
                             ACCEPT
{AppData} <------>           delivered to application

Attack properties:

The CA-issuance boundary that normally separates "may run a TLS server for this name" from "may sign email" or "may sign code" is erased at the handshake.
Hostname binding (SAN) is enforced; the attacker still needs the SAN to match the connected hostname. CAs that issue clientAuth or codeSigning certs commonly bind hostnames in the SAN (corporate-PKI clientAuth certs frequently encode the workstation FQDN).
Public CA misissuance scenarios — accidentally dropping serverAuth from an EKU set, or shipping id-kp-codeSigning alongside SANs intended for TLS — are plausible failure modes given the cert-template surface area; we are not citing a specific documented incident here.

Scope

In scope. All TLS 1.3 client connections through ocaml-tls using x509 cert validation against any trust anchor. Affected populations: MirageOS unikernels, Robur deployments, OCaml apps using mirleft/ocaml-tls for TLS 1.3 client sockets.

Trust model. Production clients trust hundreds of CAs (Mozilla bundle, OS root store, corporate PKI). Many of those CAs legitimately issue certs for purposes other than TLS server auth — S/MIME, code signing, document signing, client auth. Per RFC 5280 §4.2.1.12 the leaf's EKU constrains what each specific cert may be used for. Loading the issuer is the baseline for any TLS handshake to validate at all; ignoring the leaf's EKU is the gap.

Not in scope.

TLS 1.2 connections via the same library — validate_keyusage is wired to the TLS 1.2 paths and rejects non-serverAuth certs.
ocaml-tls server-side accepting client certs — separate code path, not exercised by this finding.
mirage-crypto / nocrypto — pure crypto primitives, not in the cert-validation path.
"Stolen private key" variants — out of scope; this finding requires only that the attacker hold a legitimately-issued cert for a non-server purpose, not that they compromise a serverAuth cert.

Timeline

2026-04-18: vulnerability discovered
2026-04-30: vulnerability reported to the OCaml security team
2026-05-05: initial patch prepared
2026-05-09: additional keyUsage vulnerability reported
2026-05-10: final patch prepared
2026-05-14: patch approved by reporter
2026-05-20: ocaml-tls 2.1.0 released, security advisory published

Severity

7.4 (High)


                    
                      CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Credits

Ben Smyth

Hannes Mehnert

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {
        "opam_constraint": "tls {\u003c \"2.1.0\"}"
      },
      "package": {
        "ecosystem": "opam",
        "name": "tls",
        "purl": "pkg:opam/tls"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6a12247b3fbd747972ad2d35b74d9a89f6404952"
            }
          ],
          "repo": "https://github.com/mirleft/ocaml-tls",
          "type": "GIT"
        }
      ],
      "versions": [
        "0.1.0",
        "0.2.0",
        "0.3.0",
        "0.4.0",
        "0.5.0",
        "0.6.0",
        "0.7.0",
        "0.7.1",
        "0.8.0",
        "0.9.0",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.10.1",
        "0.10.2",
        "0.10.3",
        "0.10.4",
        "0.10.5",
        "0.10.6",
        "0.11.0",
        "0.11.1",
        "0.12.0",
        "0.12.1",
        "0.12.2",
        "0.12.3",
        "0.12.4",
        "0.12.5",
        "0.12.6",
        "0.12.7",
        "0.12.8",
        "0.13.0",
        "0.13.1",
        "0.13.2",
        "0.14.0",
        "0.14.1",
        "0.15.0",
        "0.15.1",
        "0.15.2",
        "0.15.3",
        "0.15.4",
        "0.16.0",
        "0.17.0",
        "0.17.1",
        "0.17.3",
        "0.17.4",
        "0.17.5",
        "1.0.0",
        "1.0.2",
        "1.0.4",
        "2.0.0",
        "2.0.1",
        "2.0.2",
        "2.0.3",
        "2.0.4"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45388"
  ],
  "credits": [
    {
      "name": "Ben Smyth",
      "type": "REPORTER"
    },
    {
      "name": "Hannes Mehnert",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "database_specific": {
    "cwe": [
      "CWE-295"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-06.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-06.json"
  },
  "details": "The ocaml-TLS 1.3 client does not validate the KeyUsage and ExtendedKeyUsage extensions of the server certificate. This can lead to impersonation with a certificate issued to a client.\n\n## Scenario\n\nEvery employee at a major bank carries a smart card. The card holds a clientAuth certificate issued by the bank\u0027s corporate PKI: identifying the employee for VPN, for badge access, for signing emails. The certificate\u0027s Extended Key Usage field marks it \"TLS client, not TLS server\" \u2014 the bank\u0027s own CA states what the cert may and may not do. To an ocaml-tls TLS 1.3 client, the marking is invisible. A laptop pulled from a desk, a smart card left in a coffee shop, malware on a workstation \u2014 anyone holding any clientAuth cert from any CA in the trust store, with a SAN naming a hostname an ocaml-tls client connects to, impersonates that hostname as a TLS 1.3 server. The same hole catches public-CA misissuance, codeSigning certs with DNS SANs, S/MIME certs with DNS SANs. Any cert in any non-server class becomes a TLS 1.3 server cert.\n\nRFC 5280 \u00a74.2.1.12 binds a cert with an Extended Key Usage extension to the indicated purposes; RFC 8446 \u00a74.4.2.4 carries the constraint into TLS 1.3. ocaml-tls enforces it on its TLS 1.2 path\n\u2014 `validate_keyusage` in `handshake_client.ml:201` checks for `Server_auth`, wired to `answer_certificate_RSA` and `answer_certificate_DHE`. When TLS 1.3 was added, a separate `answer_certificate` was written in `handshake_client13.ml`; the EKU check was not ported.\n\n## Detailed description\n\nocaml-tls clients complete the TLS 1.3 handshake with a server presenting a leaf certificate whose Extended Key Usage extension omits `id-kp-serverAuth` (OID 1.3.6.1.5.5.7.3.1). The probe leaf carries `id-kp-clientAuth` (1.3.6.1.5.5.7.3.2) and `id-kp-codeSigning` (1.3.6.1.5.5.7.3.3) only \u2014 the cert was issued by its CA for purposes other than TLS server authentication. ocaml-tls accepts the cert, completes ECDHE, verifies CertificateVerify, and delivers application data.\n\nThe library has the correct EKU check, in `handshake_client.ml:201:validate_keyusage`. The TLS 1.3 entry point in `handshake_client13.ml:answer_certificate` is simply not wired to it. TLS 1.2 handshakes through `answer_certificate_RSA` and `answer_certificate_DHE` correctly reject a non-serverAuth cert; the same library accepts it on the TLS 1.3 path.\n\nA sibling finding reports the same class of gap for the KeyUsage extension.\n\n## Attack\n\nNumbered attack sequence:\n\n1. Attacker obtains a leaf cert from any CA in the victim\u0027s trust store, with EKU including any of `clientAuth`, `codeSigning`, `emailProtection`, etc. \u2014 and excluding `serverAuth`. Practical sources: commercial S/MIME CAs, code-signing CAs, internal corporate PKI that issues clientAuth certs, public-CA misissuance.\n2. Attacker stands up a TLS 1.3 server with that cert and binds the leaf\u0027s SAN hostname to a network position the victim\u0027s client will reach (DNS spoof, BGP hijack, captive portal, off-path redirect).\n3. ocaml-tls 1.3 client opens a handshake. Server presents the non-serverAuth cert in its `Certificate` message.\n4. `validate_chain` returns `Ok`. The TLS 1.3 path advances to`AwaitServerCertificateVerify13` without checking EKU.\n5. CertificateVerify is signed correctly (attacker holds the leaf\u0027s private key); signature verifies.\n6. Handshake completes. Application data flows over the attacker-authenticated session.\n\nASCII trace:\n\n    Attacker                     ocaml-tls client\n    --------                     ----------------\n    (holds a cert issued with\n     EKU=clientAuth + codeSigning\n     from a CA the victim trusts)\n    ServerHello -------------\u003e\n    Certificate(EKU=\u00acserverAuth) -\u003e validate_chain \u2192 Ok\n    CertificateVerify ---------\u003e signature OK\n    Finished -----------------\u003e\n                                 ACCEPT\n    {AppData} \u003c------\u003e           delivered to application\n\nAttack properties:\n\n- The CA-issuance boundary that normally separates \"may run a TLS server for this name\" from \"may sign email\" or \"may sign code\" is erased at the handshake.\n- Hostname binding (SAN) is enforced; the attacker still needs the SAN to match the connected hostname. CAs that issue clientAuth or codeSigning certs commonly bind hostnames in the SAN (corporate-PKI clientAuth certs frequently encode the workstation FQDN).\n- Public CA misissuance scenarios \u2014 accidentally dropping `serverAuth` from an EKU set, or shipping `id-kp-codeSigning` alongside SANs intended for TLS \u2014 are plausible failure modes given the cert-template surface area; we are not citing a specific documented incident here.\n\n## Scope\n\n**In scope.** All TLS 1.3 client connections through ocaml-tls using x509 cert validation against any trust anchor. Affected populations: MirageOS unikernels, Robur deployments, OCaml apps using `mirleft/ocaml-tls` for TLS 1.3 client sockets.\n\n**Trust model.** Production clients trust hundreds of CAs (Mozilla bundle, OS root store, corporate PKI). Many of those CAs legitimately issue certs for purposes other than TLS server auth \u2014 S/MIME, code signing, document signing, client auth. Per RFC 5280 \u00a74.2.1.12 the leaf\u0027s EKU constrains what each specific cert may be used for. Loading the issuer is the baseline for any TLS handshake to validate at all; ignoring the leaf\u0027s EKU is the gap.\n\n**Not in scope.**\n\n- TLS 1.2 connections via the same library \u2014 `validate_keyusage` is wired to the TLS 1.2 paths and rejects non-serverAuth certs.\n- ocaml-tls server-side accepting client certs \u2014 separate code path, not exercised by this finding.\n- `mirage-crypto` / `nocrypto` \u2014 pure crypto primitives, not in the cert-validation path.\n- \"Stolen private key\" variants \u2014 out of scope; this finding requires only that the attacker hold a legitimately-issued cert for a non-server purpose, not that they compromise a serverAuth cert.\n\n## Timeline\n\n- 2026-04-18: vulnerability discovered\n- 2026-04-30: vulnerability reported to the OCaml security team\n- 2026-05-05: initial patch prepared\n- 2026-05-09: additional keyUsage vulnerability reported\n- 2026-05-10: final patch prepared\n- 2026-05-14: patch approved by reporter\n- 2026-05-20: ocaml-tls 2.1.0 released, security advisory published",
  "id": "OSEC-2026-06",
  "modified": "2026-05-20T13:50:00Z",
  "published": "2026-05-20T13:50:00Z",
  "references": [],
  "schema_version": "1.7.4",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TLS-client (with TLS 1.3) does insufficient certificate checks (missing KeyUsage and ExtendedKeyUsage validation)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45388 (GCVE-0-2026-45388)

FKIE_CVE-2026-45388

GHSA-RRGX-WGV5-5HF9

osec-2026-06

Vulnerability from osv_ocaml

Scenario

Detailed description

Attack

Scope

Timeline

Tags

Sightings

Nomenclature