RUSTSEC-2026-0099: Critical rustls-webpki Flaw Incorrectly Validates Wildcard Certificates Against Name Constraints

A critical security vulnerability in the widely used `rustls-webpki` library incorrectly accepts name constraints for certificates asserting a wildcard DNS name. This flaw, designated RUSTSEC-2026-0099, allows a certificate for `*.example.com` to be incorrectly validated against a permitted subtree constraint of `accept.example.com`. The bug could feasibly permit a certificate to authenticate a name like `reject.example.com`, which lies outside the intended constraint, effectively bypassing a core security boundary.

The vulnerability is present in version `0.103.9` of the `rustls-webpki` package, a fundamental component for TLS certificate validation in the Rust ecosystem. The issue is strikingly similar to a prior Go vulnerability, CVE-2025-61727, highlighting a recurring pattern in cryptographic library implementations. The bug's impact is specific: it is only reachable after successful signature verification of a certificate, meaning an attacker must first possess a valid, properly-issued certificate from a trusted Certificate Authority (CA) that contains a wildcard. The flaw then lies in the subsequent name constraint validation logic.

This vulnerability places significant pressure on any service or application relying on the affected version of `rustls-webpki` for client or server certificate validation with name constraints. Systems using name constraints for internal PKI segmentation or to restrict certificate usage within specific subdomains are at direct risk. The maintainers have released patched versions (`>=0.103.12, <0.104.0-alpha.1, >=0.104.0-alpha.6`), making immediate remediation the primary defensive action. The flaw underscores the persistent complexity in correctly implementing wildcard and name constraint interactions across different cryptographic stacks.