Cyber Resilience

CVE-2026-9648

Critical

Published: 11 June 2026

Published
11 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0022 12.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9648 is a critical-severity an unspecified weakness vulnerability in Haskell (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond…

more

its intended scope.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

NameConstraints bypass in X.509 validation directly enables domain impersonation via fraudulent certificates, facilitating Adversary-in-the-Middle attacks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Haskell
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References