Cryptography Library Vulnerability: DNS Name Constraint Bypass in Versions <46.0.6

A critical security vulnerability in the widely used Python cryptography library has been disclosed, allowing for a bypass of DNS name constraints during certificate validation. The flaw, tracked as CVE-2026-34073, was present in all versions prior to 46.0.6. The core failure was that DNS name constraints were only validated against Subject Alternative Names (SANs) within child certificates, not the actual "peer name" presented during each validation step. This oversight created a dangerous loophole in the certificate chain trust mechanism.

Specifically, the vulnerability could allow a peer named `bar.example.com` to incorrectly validate against a wildcard leaf certificate for `*.example.com`. This validation would succeed even if a parent certificate higher up in the chain contained an excluded subtree constraint that should have blocked the `bar.example.com` domain. The flaw fundamentally undermines the intended security policy enforced by name constraints, which are designed to restrict the names a certificate authority (CA) is permitted to certify.

The patch, released in version 46.0.6, corrects this logic by ensuring the peer name is validated against all relevant name constraints throughout the certificate chain. This vulnerability highlights a subtle but significant failure in a foundational security library used by countless Python applications for TLS/SSL, data encryption, and authentication. Developers and system administrators must urgently update their dependencies to cryptography v46.0.6 to close this validation bypass and restore proper trust boundary enforcement.