Python cryptography Library Patches Critical X.509 Wildcard Certificate Validation Flaw (CVE-2026-34073)

The widely-used Python cryptography library has patched a significant security vulnerability in its X.509 certificate validation logic. The flaw, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints when a leaf certificate contains a wildcard DNS SAN. This bypass occurs during peer name verification, potentially enabling spoofing or man-in-the-middle attacks in specific, non-standard certificate topologies.

The vulnerability was discovered and reported by researcher Oleh Konko (1seal). The core issue is that the library failed to correctly apply name constraints to peer names during verification if the leaf certificate used a wildcard DNS Subject Alternative Name. It is crucial to note that the maintainers, the PyCA team, state that ordinary X.509 topologies—including the entire Web PKI infrastructure used by browsers and most HTTPS connections—are not affected by this bug. The risk is confined to specialized or custom certificate authority setups that rely on name constraints with wildcard certificates.

This patch, released in version 46.0.6, follows another recent security fix in version 46.0.5, which addressed a separate attack vector involving malicious public keys on uncommon binary elliptic curves. That earlier issue could have leaked portions of a private key. The consecutive security releases signal active scrutiny of the library's cryptographic edge cases. For developers and organizations using the `cryptography` package in backend systems, especially those employing custom PKI with name constraints, immediate updating to version 46.0.6 or later is a critical security priority to close this validation gap.