PyCA cryptography 46.0.6 patches critical X.509 name constraint bypass (CVE-2026-34073)

The PyCA cryptography library has released a critical security update to patch a vulnerability that could allow attackers to bypass name constraints during X.509 certificate verification. The flaw, tracked as CVE-2026-34073, was discovered by researcher Oleh Konko (1seal). It specifically affects scenarios where a leaf certificate contains a wildcard DNS Subject Alternative Name (SAN). In these cases, the library incorrectly failed to apply configured name constraints to the peer's name, potentially allowing a certificate to be validated for a domain it should be restricted from.

This vulnerability is highly specific. The maintainers emphasize that ordinary X.509 topologies, including those used by the mainstream Web PKI, are not affected. The risk is confined to more complex or custom certificate hierarchies where name constraints are explicitly used for authorization. The fix, released in version 46.0.6, ensures that name constraints are correctly enforced even when a wildcard SAN is present, closing a subtle but significant logic gap in the verification chain.

The update follows a previous security patch in version 46.0.5, which addressed a separate issue involving binary elliptic curves. That flaw could allow an attacker to craft a malicious public key to leak portions of a private key. The consecutive security releases signal active scrutiny of the library's cryptographic primitives and parsing logic. Developers and system administrators relying on PyCA cryptography for TLS, code signing, or custom PKI implementations must prioritize this update to mitigate potential authorization bypass risks in constrained environments.