{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tls/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32283"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","tls","crypto/tls"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-32283 describes a vulnerability within the crypto/tls component related to the processing of TLS 1.3 KeyUpdate records. The core issue stems from the lack of proper authentication for these KeyUpdate records. An attacker exploiting this flaw can send unauthenticated KeyUpdate records to a vulnerable server. The server, upon processing these records, may retain connections persistently or enter a denial-of-service (DoS) state due to resource exhaustion. This vulnerability poses a significant risk to systems relying on TLS 1.3 for secure communication. While the specific vulnerable products are not detailed in the source, the report does mention Microsoft as the affected vendor. Defenders must identify and patch the vulnerable crypto/tls implementations to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a TLS 1.3 connection with a vulnerable server.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious TLS 1.3 KeyUpdate record without proper authentication.\u003c/li\u003e\n\u003cli\u003eAttacker sends the unauthenticated KeyUpdate record to the target server over the established TLS connection.\u003c/li\u003e\n\u003cli\u003eThe vulnerable crypto/tls implementation on the server processes the malformed KeyUpdate record.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, the server\u0026rsquo;s connection state becomes inconsistent.\u003c/li\u003e\n\u003cli\u003eThe server retains the connection persistently due to the invalid state.\u003c/li\u003e\n\u003cli\u003eAttacker repeats steps 2-6 to exhaust server resources with numerous persistent connections.\u003c/li\u003e\n\u003cli\u003eThe server enters a denial-of-service (DoS) condition, becoming unresponsive to legitimate requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32283 can lead to a denial-of-service condition, rendering affected servers unavailable. The number of affected victims will vary based on the deployment of vulnerable crypto/tls implementations. Services relying on TLS 1.3 for secure communication are at risk. If the attack succeeds, legitimate users will be unable to access the affected services, potentially causing significant disruption and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all systems using the crypto/tls component from Microsoft to determine if they are vulnerable to CVE-2026-32283.\u003c/li\u003e\n\u003cli\u003eApply the security updates released by Microsoft to patch CVE-2026-32283 on all affected systems as soon as they are available, according to the Microsoft Security Update Guide.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious TLS KeyUpdate records, focusing on malformed or unauthenticated packets using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:43:55Z","date_published":"2026-04-30T08:43:55Z","id":"/briefs/2026-04-tls-keyupdate-dos/","summary":"CVE-2026-32283 is a vulnerability in crypto/tls that allows unauthenticated TLS 1.3 KeyUpdate records, leading to persistent connection retention and a denial-of-service condition.","title":"CVE-2026-32283 Unauthenticated TLS 1.3 KeyUpdate DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tls-keyupdate-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-34073"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["certificate validation","man-in-the-middle","dns name constraint","tls","cve-2026-34073"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-34073 describes a security vulnerability related to incomplete DNS name constraint enforcement affecting an unspecified Microsoft product. The vulnerability lies in the improper validation of peer names against DNS name constraints during certificate validation. An attacker could potentially exploit this flaw to bypass security checks and impersonate legitimate servers or services. Further details regarding the specific affected products and exploitation scenarios are currently unavailable but are anticipated to be released by Microsoft. Defenders should closely monitor Microsoft\u0026rsquo;s official communication channels for updates and guidance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eAs the vulnerability details are limited, the following attack chain is based on a generalized understanding of how incomplete DNS name constraint enforcement could be exploited.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious certificate with a DNS name that is designed to bypass the incomplete constraint enforcement.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a rogue server or service using the crafted certificate.\u003c/li\u003e\n\u003cli\u003eA client application (potentially within the Microsoft ecosystem) attempts to establish a secure connection with the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eDuring the TLS handshake, the client application receives the malicious certificate.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete DNS name constraint enforcement, the client application incorrectly validates the certificate as trusted.\u003c/li\u003e\n\u003cli\u003eA secure connection is established between the client and the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or manipulates data transmitted over the \u0026ldquo;secure\u0026rdquo; connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34073 could allow an attacker to perform man-in-the-middle attacks, intercept sensitive data, or impersonate legitimate services. The specific impact depends on the affected product and the context in which the vulnerability is exploited. Given the potential for widespread impact within Microsoft environments, this vulnerability is considered high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Microsoft\u0026rsquo;s Security Update Guide for specific product advisories and patches related to CVE-2026-34073 (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34073)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34073)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy any available patches or workarounds as soon as they are released by Microsoft to mitigate the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect anomalous TLS certificate exchanges that may indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-34073/","summary":"CVE-2026-34073 is a vulnerability in unspecified Microsoft products due to incomplete DNS name constraint enforcement on peer names, potentially leading to certificate validation bypass.","title":"CVE-2026-34073: Incomplete DNS Name Constraint Enforcement Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-34073/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41898"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rust-openssl","memory-leak","tls","cve"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-41898 is a security vulnerability affecting the rust-openssl library. The vulnerability stems from a failure to properly validate the length of data returned by callbacks during Pre-Shared Key (PSK) and cookie generation processes within OpenSSL. This oversight can lead to OpenSSL inadvertently exposing adjacent memory regions to a remote network peer. While the exact scope of impact is not detailed in the initial advisory, the potential for memory leakage raises concerns about sensitive information disclosure. Defenders should closely monitor applications utilizing rust-openssl for anomalous behavior indicative of exploitation attempts. The Microsoft Security Response Center published information regarding this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA client initiates a TLS handshake with a server using rust-openssl.\u003c/li\u003e\n\u003cli\u003eThe server requests PSK or initiates a cookie exchange as part of the TLS handshake.\u003c/li\u003e\n\u003cli\u003erust-openssl triggers a callback function to generate the PSK or cookie data.\u003c/li\u003e\n\u003cli\u003eThe callback function returns data with a length that is not properly validated by rust-openssl.\u003c/li\u003e\n\u003cli\u003eDue to the unchecked length, OpenSSL reads beyond the intended buffer boundary.\u003c/li\u003e\n\u003cli\u003eOpenSSL copies the over-read memory region into the response sent to the client.\u003c/li\u003e\n\u003cli\u003eThe client receives the response containing the leaked memory.\u003c/li\u003e\n\u003cli\u003eThe client can then analyze the leaked memory for sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41898 can lead to the leakage of sensitive information from the server\u0026rsquo;s memory. This information could include cryptographic keys, session data, or other confidential data. The extent of the leak depends on the amount of memory that is read beyond the intended buffer. The vulnerability could affect any application or service that uses rust-openssl for TLS communication and relies on PSK or cookie generation. The number of potential victims is currently unknown, but it would depend on the adoption rate of rust-openssl in security-sensitive applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusually large TLS handshake responses, which may indicate an attempt to trigger the memory leak.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for callback functions used in PSK and cookie generation within rust-openssl.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts based on anomalous network connection patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T07:33:41Z","date_published":"2026-04-29T07:33:41Z","id":"/briefs/2026-04-rust-openssl-leak/","summary":"CVE-2026-41898 describes a vulnerability in rust-openssl where unchecked callback-returned length in PSK and cookie generation can cause OpenSSL to leak adjacent memory to a network peer.","title":"rust-openssl Memory Leak via Unchecked Callback Length (CVE-2026-41898)","url":"https://feed.craftedsignal.io/briefs/2026-04-rust-openssl-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["juju","dqlite","tls","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJuju, a service orchestration tool, contains a critical vulnerability related to improper TLS configuration within its Dqlite database cluster. This vulnerability affects Juju controller versions 3.2.0 up to 3.6.20 and 4.0.5. The lack of client certificate checking and server certificate verification allows an attacker with network route-ability to the Juju controller\u0026rsquo;s Dqlite cluster endpoint (port 17666) to join the cluster without proper authentication. This grants the attacker the ability to read and modify all information within the database, including sensitive user credentials and system configurations. Exploitation of this vulnerability enables privilege escalation, unauthorized access to resources, and potentially the ability to open firewall ports, leading to a complete compromise of the Juju controller and managed services. Patches are available in Juju versions 3.6.20 and 4.0.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains network access to the target Juju controller\u0026rsquo;s Dqlite cluster endpoint, typically port 17666.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like \u003ccode\u003edqlite-demo\u003c/code\u003e or a custom-built application leveraging the go-dqlite library to attempt to join the Dqlite cluster.\u003c/li\u003e\n\u003cli\u003eDue to the missing client certificate verification, the attacker\u0026rsquo;s connection is accepted without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker switches to the \u003ccode\u003econtroller\u003c/code\u003e database using the \u003ccode\u003e.switch controller\u003c/code\u003e command within the dqlite shell.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the \u003ccode\u003euser\u003c/code\u003e table to identify existing users and their associated privileges using \u003ccode\u003eselect * from user;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003edisplay_name\u003c/code\u003e of the \u003ccode\u003eadmin\u003c/code\u003e user within the \u003ccode\u003euser\u003c/code\u003e table using an \u003ccode\u003eupdate\u003c/code\u003e SQL command, for example: \u003ccode\u003eupdate user set display_name='Compromised Admin' where name='admin';\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker could further modify credentials, add new administrative users, or modify system configurations within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to escalate privileges, compromise managed services, and potentially open firewall ports, gaining complete control over the Juju environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely compromise the Juju controller. The attacker can read and modify all information within the Juju database, including user credentials, application configurations, and system settings. This can lead to the compromise of all applications and services managed by the Juju controller.  Privilege escalation allows the attacker to gain administrative control over the Juju environment. The ability to open firewall ports provides a pathway for lateral movement and further exploitation of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Juju controllers to versions 3.6.20 or 4.0.5 to apply the patches that address this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement restrictive firewall rules to limit access to port 17666 on Juju controllers, as recommended in the advisory. Ensure only other controller IP addresses can connect to this port.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unauthorized connections to the Dqlite database (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 17666 for unexpected source IP addresses (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T00:03:36Z","date_published":"2026-04-02T00:03:36Z","id":"/briefs/2026-04-juju-tls-vuln/","summary":"Juju controller versions 3.2.0 up to 3.6.20 and 4.0.5 are vulnerable to unauthorized database access due to improper TLS client/server authentication and certificate verification, allowing an attacker with network access to modify all information, escalate privileges, and open firewall ports.","title":"Juju Controller Vulnerable to Unauthorized Database Access Due to Improper TLS Configuration","url":"https://feed.craftedsignal.io/briefs/2026-04-juju-tls-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Tls","version":"https://jsonfeed.org/version/1.1"}