CVE-2026-34610

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

02/04/2026

Last modified:

24/04/2026

Description

The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when storing the Common Name (CN) length. An attacker who crafts a certificate with CN = victim&#39;s CN + 256 bytes padding gets cn_size = (uint8_t)(256 + N) = N, where N is the victim&#39;s CN length. The first N bytes of the attacker&#39;s CN are the victim&#39;s identity. After parsing, the attacker&#39;s certificate has an identical CN to the victim&#39;s — enabling identity impersonation in PKCS#7 verification, certificate chain matching, and code signing. This issue has been patched in version 1.7.1.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): None