Rustls-webpki Cryptographic Library Flagged for CRL Parsing Panic and URI Validation Gaps

A security audit has identified multiple vulnerabilities in `[email protected]`, a widely deployed Rust library for TLS certificate validation. The flaws affect critical certificate verification functions, raising concerns for applications that rely on the library for secure network connections. The audit, cataloged under RUSTSEC identifiers, surfaces two distinct issues with potentially broad downstream impact on encrypted communications infrastructure.

The first vulnerability, RUSTSEC-2026-0104, exposes a reachable panic during certificate revocation list (CRL) parsing. The flaw stems from mishandling syntactically valid empty `BIT STRING` values within the `onlySomeReasons` element of an `IssuingDistributionPoint` CRL extension. Critically, the panic occurs prior to signature verification, meaning an attacker could trigger the failure without possessing a valid CRL signature. The issue affects applications that parse CRLs via `BorrowedCertRevocationList::from_der` or `OwnedCertRevocationList::from_der`. Applications that do not use CRL functionality remain unaffected. Patched versions are available at `>=0.103.13`, `<0.104.0-alpha.1`, and `>=0.104.0-alpha.7`.

The second identified flaw, RUSTSEC-2026-0098, involves incorrect handling of name constraints for URI names. According to the audit, URI-based name constraints were being ignored rather than properly validated, potentially allowing certificates with URI subjects outside permitted constraints to pass validation. This represents a deviation from expected PKIX specification behavior and could affect security decisions in environments relying on strict certificate naming policies. The audit report indicates a third vulnerability exists but details are not yet visible in the current source material. Users of `rustls-webpki` are advised to review their library versions and apply available patches.