RUSTSEC-2026-0044

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0044
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0044.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0044
Aliases
Published
2026-03-19T12:00:00Z
Modified
2026-03-20T17:15:07.834445Z
Summary
AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN
Details

A logic error in CN (Common Name) validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid DNS identifiers, causing NAME_CONSTRAINTS_check_CN to skip validation. However, X509_check_host accepts these CN values when no dNSName SAN is present, allowing certificates to bypass name constraints while still being used for hostname verification.

Customers of AWS services do not need to take action. Applications using aws-lc-sys should upgrade to the most recent release of aws-lc-sys.

Workarounds

Applications that set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to disable CN fallback are not affected. Applications that only encounter certificates with dNSName SANs (standard for public WebPKI) are also not affected.

Otherwise, there is no workaround and applications using aws-lc-sys should upgrade to the most recent releases of aws-lc-sys.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / aws-lc-sys

Package

Name
aws-lc-sys
View open source insights on deps.dev
Purl
pkg:cargo/aws-lc-sys

Affected ranges

Type
SEMVER
Events
Introduced
0.32.0
Fixed
0.39.0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "functions": [],
        "arch": [],
        "os": []
    }
}

Database specific

source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0044.json"
informational 
null
categories 
[
    "crypto-failure"
]
cvss 
null