diff --git a/gnutls-3.8.2-CVE-2026-42011.patch b/gnutls-3.8.2-CVE-2026-42011.patch
new file mode 100644
index 0000000000000000000000000000000000000000..822b8a60498eee95930316921ad194410c334375
--- /dev/null
+++ b/gnutls-3.8.2-CVE-2026-42011.patch
@@ -0,0 +1,47 @@
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 14 Apr 2026 17:41:30 +0200
+Subject: [PATCH] x509/name_constraints: fix intersecting empty constraints
+
+Permitted name constraints were wrongfully ignored
+when prior CAs only had excluded name constraints,
+resulting in a name constraint bypass.
+
+With this change, they are taken into account and propagate.
+
+Backported to gnutls-3.8.2 (post CVE-2024-12243 refactor):
+the upstream fix targets the 3.8.13 implementation where the empty
+check is `gl_list_size(permitted1->items) == 0`. In 3.8.2 (after
+CVE-2024-12243's rewrite) the equivalent guard is
+`permitted->size == 0 || permitted2->size == 0`. Removing it
+restores the correct intersection semantics:
+  - empty permitted ∩ non-empty permitted2  →  permitted2 propagates
+  - non-empty permitted ∩ empty permitted2  →  permitted unchanged
+  - empty ∩ empty                            →  remains empty
+Verified that subsequent phases 1, 2, 3 of
+name_constraints_node_list_intersect() correctly degenerate when
+either list is empty.
+
+Reported-by: Haruto Kimura (Stella)
+Fixes: #1824
+Fixes: CVE-2026-42011
+Fixes: GNUTLS-SA-2026-04-29-6
+CVSS: 4.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+---
+ lib/x509/name_constraints.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -348,9 +348,6 @@
+ 	memset(types_with_empty_intersection, 0,
+ 	       sizeof(types_with_empty_intersection));
+ 
+-	if (permitted->size == 0 || permitted2->size == 0)
+-		return 0;
+-
+ 	/* Phase 1
+ 	 * For each name in PERMITTED, if a PERMITTED2 does not contain a name
+ 	 * with the same type, move the original name to REMOVED.
+-- 
+2.33.0
diff --git a/gnutls-3.8.2-CVE-2026-42012.patch b/gnutls-3.8.2-CVE-2026-42012.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0e359791c042e1be75fad47afe78da8981cdbe34
--- /dev/null
+++ b/gnutls-3.8.2-CVE-2026-42012.patch
@@ -0,0 +1,49 @@
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 13 Mar 2026 17:02:07 +0100
+Subject: [PATCH] x509/hostname-verify: make URI/SRV SAN preclude CN fallback
+
+URI/SRV SAN did not suppress CN fallback as required by RFC 6125 6.4.4:
+> a client MUST NOT seek a match for a reference identifier of CN-ID
+> if the presented identifiers include a DNS-ID, *SRV-ID*, *URI-ID*,
+> or any application-specific identifier types supported by the client.
+
+With this change, certificates containing URI SAN
+no longer pass DNS hostname checks via CN fallback
+to avoid potential misuse of such certificates
+beyond their original purpose.
+
+Backported to gnutls-3.8.2:
+the upstream fix (commit 8dcc6a1f) extends the PRECLUDES_CN_FALLBACK()
+macro with GNUTLS_SAN_URI and GNUTLS_SAN_OTHERNAME_SRV. In 3.8.2 the
+equivalent macro is IS_SAN_SUPPORTED(), and GNUTLS_SAN_OTHERNAME_SRV
+does not exist yet (the SRV virtual-SAN enum was introduced later by
+upstream commit 5cc003b9). gnutls_x509_crt_get_subject_alt_name() in
+3.8.2 therefore never returns an SRV virtual SAN, so only the
+GNUTLS_SAN_URI addition is meaningful and is applied here.
+
+Reported-by: Oleh Konko <security@1seal.org>
+Fixes: #1802
+Fixes: CVE-2026-42012
+Fixes: GNUTLS-SA-2026-04-29-7
+CVSS: 6.5 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+---
+ lib/x509/hostname-verify.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/lib/x509/hostname-verify.c
++++ b/lib/x509/hostname-verify.c
+@@ -108,8 +108,9 @@
+  * that we do not fallback to CN-ID if we encounter a supported name
+  * type.
+  */
+-#define IS_SAN_SUPPORTED(san) \
+-	(san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS)
++#define IS_SAN_SUPPORTED(san)                                       \
++	(san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS || \
++	 san == GNUTLS_SAN_URI)
+ 
+ /**
+  * gnutls_x509_crt_check_hostname2:
+-- 
+2.33.0
diff --git a/gnutls-3.8.2-CVE-2026-42013.patch b/gnutls-3.8.2-CVE-2026-42013.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4b1d100a41b1704343e1213c2d763cec1bd69f37
--- /dev/null
+++ b/gnutls-3.8.2-CVE-2026-42013.patch
@@ -0,0 +1,76 @@
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 15 Apr 2026 16:02:19 +0200
+Subject: [PATCH] x509: prevent fallback on oversized SAN
+
+Passing oversized SAN did not preclude CN (or DN email) fallback
+during verification, which is an RFC 6125 6.4.4 violation.
+
+Now oversized SAN are skipped over,
+but prevent the fallback from happening.
+
+Backported to gnutls-3.8.2:
+the upstream fix (commit 29801bef) relies on the dedicated
+cn_fallback_allowed / dn_fallback_allowed booleans that only exist in
+the refactored 3.8.13 verification loops. In 3.8.2 the CN fallback in
+gnutls_x509_crt_check_hostname2() is gated by
+"!have_other_addresses && !found_dnsname", and the DN email fallback in
+gnutls_x509_crt_check_email() is gated by "!found_rfc822name".
+We therefore reuse those existing flags: on encountering an oversized
+SAN (GNUTLS_E_SHORT_MEMORY_BUFFER) we mark the corresponding gate
+(have_other_addresses / found_rfc822name), reset ret to 0 and continue
+scanning the remaining SAN entries, which is semantically identical to
+upstream (skip oversized SAN, keep scanning, but suppress fallback).
+
+Reported-by: Haruto Kimura (Stella)
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1825
+Fixes: #1849
+Fixes: CVE-2026-42013
+Fixes: GNUTLS-SA-2026-04-27-8
+CVSS: 6.5 Moderate CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+---
+ lib/x509/email-verify.c    | 10 ++++++++++
+ lib/x509/hostname-verify.c | 10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/lib/x509/hostname-verify.c
++++ b/lib/x509/hostname-verify.c
+@@ -214,6 +214,16 @@
+ 		ret = gnutls_x509_crt_get_subject_alt_name(cert, i, dnsname,
+ 							   &dnsnamesize, NULL);
+ 
++		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
++			/* oversized SAN; skip it but preclude CN fallback
++			 * (RFC 6125 6.4.4) */
++			_gnutls_debug_log(
++				"oversized SAN ignored, disabling CN fallback\n");
++			have_other_addresses = 1;
++			ret = 0;
++			continue;
++		}
++
+ 		if (ret == GNUTLS_SAN_DNSNAME) {
+ 			found_dnsname = 1;
+ 
+--- a/lib/x509/email-verify.c
++++ b/lib/x509/email-verify.c
+@@ -75,6 +75,16 @@
+ 		ret = gnutls_x509_crt_get_subject_alt_name(
+ 			cert, i, rfc822name, &rfc822namesize, NULL);
+ 
++		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
++			/* oversized SAN; skip it but preclude DN fallback
++			 * (RFC 6125 6.4.4) */
++			_gnutls_debug_log(
++				"oversized SAN ignored, disabling DN fallback\n");
++			found_rfc822name = 1;
++			ret = 0;
++			continue;
++		}
++
+ 		if (ret == GNUTLS_SAN_RFC822NAME) {
+ 			found_rfc822name = 1;
+ 
+-- 
+2.33.0
diff --git a/gnutls.spec b/gnutls.spec
index 799dabc197a6b2b4dd6a2354d57b8821ae77a4ca..24a28b2b62ee82b8ea343a26f0dd0b8f7c89ce5d 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -3,7 +3,7 @@
 Summary: The GNU TLS protocol implementation
 Name: gnutls
 Version: 3.8.2
-Release: 12%{?dist}
+Release: 14%{?dist}
 License: LGPLv2.1+ and GPLv3+
 URL: http://www.gnutls.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{major_minor}/%{name}-%{version}.tar.xz
@@ -39,6 +39,12 @@ Patch0019: gnutls-3.8.2-avoid-null-pointer-dereference.patch
 Patch0020: gnutls-3.8.2-fix-ktls.patch
 Patch0021: gnutls-3.8.2-CVE-2026-3833.patch
 Patch0022: gnutls-3.8.2-CVE-2026-33846.patch
+# https://gitlab.com/gnutls/gnutls/-/commit/1dead2faec6320aaba321eb56f20d442df192b83
+Patch0023: gnutls-3.8.2-CVE-2026-42011.patch
+# https://gitlab.com/gnutls/gnutls/-/commit/8dcc6a1f48945997666ac9f10896819edd01a03b
+Patch0024: gnutls-3.8.2-CVE-2026-42012.patch
+# https://gitlab.com/gnutls/gnutls/-/commit/29801bef00ecc0f23c0bac4cd333b269cd2c1af4
+Patch0025: gnutls-3.8.2-CVE-2026-42013.patch
 
 BuildRequires: p11-kit-devel, gettext-devel, zlib-devel, readline-devel
 BuildRequires: libtasn1-devel, nettle-devel, libidn2-devel, libunistring-devel
@@ -184,6 +190,14 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %{_libdir}/libgnutls-dane.so.*
 
 %changelog
+* Mon Jun 01 2026 Feng Weiyao <wynnfeng@tencent.com> - 3.8.2-14
+- [type] security
+- [desc] fix CVE-2026-42012 (URI SAN should preclude CN fallback) and CVE-2026-42013 (oversized SAN should preclude CN/DN fallback)
+
+* Tue May 12 2026 Feng Weiyao <wynnfeng@tencent.com> - 3.8.2-13
+- [type] security
+- [desc] fix CVE-2026-42011 (name constraint bypass when prior CA only excludes)
+
 * Fri May 08 2026 Feng Weiyao <wynnfeng@tencent.com> - 3.8.2-12
 - [type] security
 - [desc] fix CVE-2026-3833 and CVE-2026-33846