Cryptography Library Patches Critical X.509 Wildcard Certificate Flaw (CVE-2026-34073)

A critical security vulnerability in the widely-used Python cryptography library has been patched, exposing a flaw in how X.509 certificates are validated. The bug, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints during certificate verification if the leaf certificate contains a wildcard DNS SAN. This failure to properly apply constraints to peer names creates a potential vector for spoofing and man-in-the-middle attacks in specific, non-standard PKI topologies.

The vulnerability was discovered and reported by researcher Oleh Konko (1seal) and has been addressed in version 46.0.6 of the pyca/cryptography library. The update also includes a separate, important security fix for a less common but severe cryptographic issue. In the same release cycle, the library added checks to prevent attacks where a malicious public key could leak portions of a private key when using specific, uncommon binary elliptic curves.

While the primary CVE-2026-34073 does not affect the ordinary X.509 topologies used by the mainstream Web PKI, it poses a significant risk to custom or internal PKI implementations that rely on wildcard certificates with name constraints. The concurrent patch for the binary curve issue underscores a broader push for hardening cryptographic primitives against novel side-channel and key leakage attacks. This release signals ongoing, critical maintenance for a foundational security dependency used across millions of Python applications, from web services to infrastructure tooling.