CVE-2026-8367

Summary

aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

Affected Software

VendorProductVersion RangeStatus
aria2_projectaria2c0 <= 1.37.0affected

Weaknesses

  • CWE-295: CWE-295 Improper certificate validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References