RUSTSEC-2026-0099: rustls-webpki Bug Incorrectly Accepts Wildcard Certificates Under Name Constraints

A critical vulnerability in the widely-used `rustls-webpki` library incorrectly accepts wildcard certificates that should be blocked by DNS name constraints. The flaw, designated RUSTSEC-2026-0099 and GHSA-xgp8-3hg3-c2mh, allows a certificate asserting a wildcard name like `*.example.com` to be validated even when a permitted subtree constraint, such as `accept.example.com`, is in place. This creates a feasible path for a certificate to authorize a name like `reject.example.com`, which lies outside the intended constraint boundary.

The bug resides in the library's name constraint validation logic for versions prior to 0.103.12 and within certain alpha releases of the 0.104.x series. Patched versions are available (>=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6). The vulnerability is analogous to a similar issue tracked as CVE-2025-61727 in the Go ecosystem. Crucially, exploitation requires a prior misissuance of a certificate, as name constraints act as a secondary restriction on certificates that have already passed signature verification.

This flaw exposes systems relying on `rustls-webpki` for TLS certificate validation to potential impersonation attacks if a certificate authority erroneously issues a constrained wildcard certificate. The impact is concentrated within the Rust ecosystem's secure communication stack, affecting any service using vulnerable versions of the library to validate TLS connections. While the attack prerequisite of certificate misissuance raises the barrier for exploitation, the core validation logic failure represents a significant security lapse in a fundamental trust component.