Cryptography Library Patches Critical X.509 Wildcard Certificate Flaw (CVE-2026-34073)

The widely-used Python cryptography library has patched a significant security vulnerability in its certificate verification logic. The flaw, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints when a leaf certificate contains a wildcard DNS SAN, potentially enabling impersonation attacks in specific, non-standard X.509 topologies. The bug was discovered and reported by security researcher Oleh Konko (1seal).

The vulnerability was addressed in version 46.0.6 of the `pyca/cryptography` library, released on March 25, 2026. The security fix specifically corrects a scenario where name constraints—rules that restrict which domain names a certificate authority can issue certificates for—were not being properly applied to peer names during verification if the certificate in question used a wildcard. The maintainers emphasize that standard Web PKI (Public Key Infrastructure) configurations and common X.509 topologies are not affected, limiting the immediate blast radius but highlighting a risk for custom or specialized certificate trust chains.

This update is part of a broader security hardening effort for the library. The same release cycle (version 46.0.5) also introduced additional security checks to mitigate a separate, theoretical attack involving malicious public keys on uncommon binary elliptic curves, which could have leaked portions of a private key. While the primary CVE relates to a verification bypass, the consecutive patches signal ongoing scrutiny of the library's cryptographic edge cases. Developers and organizations relying on `cryptography` for TLS, code signing, or other PKI-dependent operations must prioritize this update to close potential attack vectors in non-standard deployments.