Critical Panic Vulnerability Disclosed in rustls-webpki Certificate Revocation List Parsing

A security audit has identified three vulnerabilities in rustls-webpki, a widely deployed Rust library for X.509 certificate validation and TLS operations. The most severe issue, catalogued as RUSTSEC-2026-0104, allows a reachable panic during certificate revocation list (CRL) parsing in versions prior to 0.103.13 and 0.104.0-alpha.7.

The vulnerability stems from mishandling a syntactically valid empty BIT STRING within the `onlySomeReasons` element of an `IssuingDistributionPoint` CRL extension. Critically, the panic occurs via `BorrowedCertRevocationList::from_der` or `OwnedCertRevocationList::from_der` prior to signature verification, meaning a specially crafted CRL could trigger a denial-of-service condition before cryptographic validation completes. Applications that do not utilize CRL functionality remain unaffected. The flaw was reported by researcher @tynus3.

A second vulnerability, RUSTSEC-2026-0098, concerns incorrect handling of name constraints for URI names, which were reportedly ignored during validation. The third disclosed vulnerability remains partially unspecified in available documentation. Organizations running affected rustls-webpki versions should prioritize patching to the patched releases: 0.103.13 or later, or 0.104.0-alpha.7 and above. Given the library's central role in secure communications infrastructure, the pre-verification trigger path raises concerns for any deployment relying on rustls for TLS certificate chain validation.