Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
2.2

Wildcard Certificates Can Bypass Name Constraints

GHSA-xgp8-3hg3-c2mh
Summary

Wildcard certificates can be used to bypass intended name restrictions, potentially allowing unauthorized access. This issue affects certain certificates that use wildcard names, and can only be exploited if the certificate is improperly issued. To protect against this, ensure that your certificates are properly validated and issued by a trusted authority.

What to do
  • Update ctz rustls-webpki to version 0.103.12.
  • Update ctz rustls-webpki to version 0.104.0-alpha.6.
Affected software
Ecosystem VendorProductAffected versions
crates.io ctz rustls-webpki >= 0.101.0, < 0.103.12
>= 0.104.0-alpha.1, < 0.104.0-alpha.6
Fix: upgrade to 0.103.12
Original title
webpki: Name constraints were accepted for certificates asserting a wildcard name
Original description
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.

This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
osv CVSS3.1 2.2
Vulnerability type
CWE-295 Improper Certificate Validation
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026