vulnerability context

CVE-2026-42508

CVSS 9.1 CRITICALEPSS 28%CWE-295OTX 9 pulses

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Published 2026-05-22 · last modified 2026-06-17

details

CISA KEV status: Not in catalog
CVSS v3: 9.1 / CRITICAL
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 28% percentile (score 0.0037)
CWE: CWE-295
OTX pulses: 9 total, 0 recent

View on NVD → · cve.org

source mentions 2

USN-8447-2: LXD vulnerabilitiesUbuntu Security Notices · 5d ago
CVE-2026-42508 Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhostsMSRC Update Guide · 27d ago

source consensus

Ubuntu Security Notices1×
MSRC Update Guide1×

Want the 3-bullet summary of CVE-2026-42508, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →