Cryptography Library Patches Critical X.509 Wildcard Certificate Validation Flaw (CVE-2026-34073)

A critical security vulnerability in the widely-used Python cryptography library has been patched, exposing a flaw in X.509 certificate validation that could allow attackers to bypass critical name constraints. The bug, tracked as CVE-2026-34073, was present when a leaf certificate contained a wildcard DNS Subject Alternative Name (SAN). In this specific scenario, the library failed to apply configured name constraints to peer names during verification, potentially enabling spoofing or man-in-the-middle attacks in non-standard PKI topologies. The issue was reported by security researcher Oleh Konko (1seal).

The patch was released in version 46.0.6 of the pyca/cryptography library on March 25, 2026. The update also includes a separate security fix for a vulnerability affecting binary elliptic curves, where a maliciously crafted public key could leak portions of a user's private key. This second issue, while serious, is limited to the less common binary curve implementations. The library's maintainers have moved swiftly to address both flaws, emphasizing that the primary X.509 bug does not affect standard Web PKI topologies.

This disclosure triggers immediate scrutiny for any enterprise or application relying on the cryptography library for TLS/SSL, code signing, or internal PKI where wildcard certificates and custom name constraints are used. System administrators and DevOps teams must prioritize upgrading to version 46.0.6 or later to mitigate the risk. The presence of a CVE identifier and the specific mention of a security researcher's credit indicates a coordinated disclosure, raising the signal for urgent patching cycles across the Python ecosystem to prevent potential exploitation.