VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-45388

CVE-2026-45388

Description

OCaml-TLS before 2.1.0 does not validate server certificate Extended Key Usage in TLS 1.3, enabling impersonation with clientAuth or codeSigning certificates.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OCaml-TLS before 2.1.0 does not validate server certificate Extended Key Usage in TLS 1.3, enabling impersonation with clientAuth or codeSigning certificates.

Vulnerability

In OCaml-TLS versions prior to 2.1.0, the TLS 1.3 client implementation (handshake_client13.ml) fails to check the ExtendedKeyUsage and KeyUsage extensions of the server's leaf certificate. The TLS 1.2 code path (handshake_client.ml) correctly validates that the certificate includes id-kp-serverAuth (OID 1.3.6.1.5.5.7.3.1), but this check was not ported to the new TLS 1.3 handshake function answer_certificate. As a result, any certificate that chains to a trusted CA and has a Subject Alternative Name (SAN) matching the target hostname is accepted, even if its Extended Key Usage only permits client authentication, code signing, or other non-server purposes. [1]

Exploitation

An attacker needs a certificate that is not intended for TLS server authentication (e.g., a client authentication certificate from a corporate PKI, a code signing certificate, or an S/MIME certificate) but that contains a DNS SAN matching the hostname the OCaml-TLS client intends to connect to. The attacker must also be in a position to intercept or redirect the client's TLS connection (e.g., on the same network, via DNS spoofing, or by compromising a router). During the TLS 1.3 handshake, the attacker presents this certificate as the server's leaf certificate. The OCaml-TLS client verifies the certificate chain and signature but does not enforce the Extended Key Usage constraint, so the handshake succeeds. [1]

Impact

A successful attack allows the adversary to impersonate any server hostname to an OCaml-TLS client using TLS 1.3. This can lead to man-in-the-middle attacks, interception of sensitive data, and injection of malicious content. The attacker gains the ability to decrypt and modify application-layer traffic, effectively compromising the confidentiality and integrity of the TLS session. The client believes it is communicating with the legitimate server, while the attacker controls the connection. [1]

Mitigation

The vulnerability is fixed in OCaml-TLS version 2.1.0. Users should upgrade to this version or later. No workaround is available for versions prior to 2.1.0. The issue is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]

References
  1. OSV - Open Source Vulnerabilities

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.