CVE-2026-34582
EUVD-2026-1994807.04.2026, 22:16
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| botan_project | botan | 3.0.0 ≤ 𝑥 ≤ 3.11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-841 - Improper Enforcement of Behavioral WorkflowThe software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
- CWE-166 - Improper Handling of Missing Special ElementThe software receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.