GHSA-xgp8-3hg3-c2mh
ADVISORY - githubSummary
Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint.
This is very similar to CVE-2025-61727.
Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
Common Weakness Enumeration (CWE)
ADVISORY - github
Improper Certificate Validation
RustSec
CREATED
UPDATED
ADVISORY IDRUSTSEC-2026-0099
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| rustls-webpki | cargo | - | - | <0.103.12 | 0.103.12 |
| rustls-webpki | cargo | - | - | >=0.104.0-alpha.1,<0.104.0-alpha.6 | 0.104.0-alpha.6 |
Severity and metrics
No CVSS data available from this advisory.
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-xgp8-3hg3-c2mh
EXPLOITABILITY SCORE
0.7
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)