Cryptography Library Security Patch: CVE-2026-34073 Fixes Wildcard DNS SAN Name Constraint Bypass

A critical security vulnerability in the widely-used Python cryptography library has been patched, addressing a flaw that could allow attackers to bypass name constraints during certificate verification. The issue, tracked as CVE-2026-34073, was discovered in version 46.0.3 and fixed in the newly released 46.0.6. The bug specifically occurs when a leaf certificate contains a wildcard DNS SAN (Subject Alternative Name), causing the system to fail to apply name constraints to peer names during verification. This creates a potential avenue for spoofing or man-in-the-middle attacks in specific, non-standard X.509 certificate topologies.

The vulnerability was reported by security researcher Oleh Konko (1seal). Importantly, the maintainers note that ordinary X.509 topologies, including those underpinning the global Web PKI (Public Key Infrastructure) used by most websites, are not affected. This significantly limits the immediate, widespread impact but highlights a niche attack surface for custom or internal PKI deployments that rely on wildcard certificates with specific name constraint policies. The patch ensures that name constraints are correctly enforced in all scenarios, closing this security gap.

While the core internet infrastructure remains secure, this update is mandatory for any project or enterprise application that utilizes the `pyca/cryptography` library in environments with custom certificate authorities and wildcard SANs. Failure to upgrade could leave specialized systems exposed to impersonation attacks. The release also includes a separate fix from version 46.0.5 for a vulnerability involving binary elliptic curves, where a malicious public key could leak portions of a private key. These consecutive security patches underscore the ongoing scrutiny and maintenance required for foundational cryptographic software, urging developers to prioritize dependency updates.