For intermediate CA only signature is checked, missed check for basic constaint allows to use any valid certificate as CA certificate.
vulners.com/securityvulns/securityvulns:doc:3353
vulners.com/securityvulns/securityvulns:doc:3354
vulners.com/securityvulns/securityvulns:doc:3390
vulners.com/securityvulns/securityvulns:doc:3391
vulners.com/securityvulns/securityvulns:doc:3448
vulners.com/securityvulns/securityvulns:doc:3458
vulners.com/securityvulns/securityvulns:doc:3778
vulners.com/securityvulns/securityvulns:doc:4031
vulners.com/securityvulns/securityvulns:doc:5468