Critical Python Cryptography Flaw: DNS Name Constraint Bypass in Versions <46.0.5

A critical security vulnerability in the widely-used Python `cryptography` library allows attackers to bypass DNS name constraints, potentially enabling certificate impersonation and man-in-the-middle attacks. The flaw, tracked as CVE-2026-34073, stems from a failure to validate the "peer name" presented during certificate verification. This oversight means the library only checked name constraints against Subject Alternative Names (SANs) within child certificates, leaving a dangerous validation gap.

The vulnerability specifically affects all versions of the `cryptography` package prior to 46.0.5. In practice, this bug could allow a server with a certificate for `bar.example.com` to incorrectly validate against a wildcard leaf certificate intended for a different subdomain, breaking a fundamental trust boundary in TLS/SSL communications. The issue was discovered and patched by the PyCA maintainers, leading to the immediate release of version 46.0.5. The pull request referenced shows a massive version jump from 41.0.4 to 46.0.6, indicating the severity and the extended period the codebase was exposed.

This flaw places immense pressure on developers and DevOps teams to urgently update their dependencies. Any Python application using the affected `cryptography` library for TLS, SSH, or X.509 certificate validation is at risk until patched. The silent nature of the bypass makes detection difficult, elevating the risk of undetected interception in financial, data, and API transactions. The coordinated disclosure and the significant version leap signal this is a high-priority, foundational security fix that cannot be ignored.