CVE-2026-40944

Summary

The trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS.

Impact

In deployments using mTLS with certificate chains (intermediate CA + root CA bundles), legitimate clients with properly chained certificates are rejected with x509: certificate signed by unknown authority. This degrades the security posture by making mTLS unusable with standard CA chain configurations, potentially forcing operators to disable client certificate verification.

All versions using TLS with trustedCaFile configuration are affected.

Details

In common/security/tls.go, the trustedCertPool() method calls pem.Decode() only once, processing a single PEM block. The remaining bytes (containing additional certificates) are silently discarded. Additionally, the error return from pem.Decode is ignored, so a corrupted CA file results in an empty certificate pool without any error.

Patches

Fixed by iterating over all PEM blocks in the file, parsing each CERTIFICATE block, and returning an error if no valid certificates are found.

Workarounds

Use CA files containing only a single certificate (the direct issuer of client certificates, not a chain).