CVE-2026-11703 describes a vulnerability where stateful TLS session resumption using session IDs did not verify that the resumed session matched the originally negotiated SNI and ALPN values. This omission allowed a cached session to be resumed under a different SNI/ALPN, potentially causing client authentication state to be reused in an unintended virtual host context. The vulnerability arises because the binding check was only applied to ticket-based resumption, not session-ID resumption. The fix enforces SNI/ALPN binding verification for all resumption methods, rejecting mismatched resumptions and requiring a full handshake instead.

The vulnerability could allow a client to resume a TLS session under a different SNI or ALPN than originally negotiated, potentially bypassing client-authentication policies that differ across virtual hosts. This could lead to unauthorized reuse of authentication state in contexts where it was not established, weakening access controls. However, exploitation requires conditions such as differing client-authentication policies across virtual hosts and the ability to reuse cached sessions with altered SNI/ALPN. No known exploits are reported in the wild.

No official patch or vendor advisory is provided in the available data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability has been addressed by enforcing SNI/ALPN binding checks on all session resumption paths, falling back to a full handshake on mismatch. Users should monitor vendor communications for patches or updates implementing this fix.