RUSTSEC-2026-0099: Rustls-webpki Bug Incorrectly Accepts Wildcard Certificates Against Name Constraints

A critical validation flaw in the `rustls-webpki` library, a core component for TLS certificate verification in Rust, has been disclosed. The vulnerability, tracked as RUSTSEC-2026-0099 and GHSA-xgp8-3hg3-c2mh, incorrectly accepts permitted subtree name constraints for certificates asserting a wildcard DNS name. This means a certificate for `*.example.com` could be wrongly validated against a constraint intended to only allow `accept.example.com`, potentially permitting a name like `reject.example.com` that should be blocked. The bug mirrors a similar issue previously identified as CVE-2025-61727 in the Go ecosystem.

The flaw resides in the `rustls-webpki` crate versions prior to 0.103.12 and within certain alpha releases of the 0.104.x series. The library is widely used to secure communications in Rust applications. Crucially, exploitation requires a prior misissuance of a certificate, as name constraints act as an additional restriction layer on top of standard signature verification. This limits immediate attack vectors but creates a dangerous validation bypass if a malicious or erroneously issued wildcard certificate is introduced into a trust chain.

The discovery, credited to researcher @1seal, underscores persistent challenges in correctly implementing complex PKI name constraint logic across different cryptographic stacks. Patched versions (>=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6) are now available. Developers must urgently update their dependencies, as this vulnerability could undermine the integrity of TLS connections in affected Rust services, allowing potentially unauthorized domain impersonation within constrained namespaces.