RUSTSEC-2026-0098

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0098
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0098.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0098
Aliases
Published
2026-04-14T12:00:00Z
Modified
2026-04-15T07:45:09.251656Z
Summary
Name constraints for URI names were incorrectly accepted
Details

Name constraints for URI names were ignored and therefore accepted.

Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.

This vulnerability is identified as GHSA-965h-392x-2mh5. Thank you to @1seal for the report.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / rustls-webpki

Package

Name
rustls-webpki
View open source insights on deps.dev
Purl
pkg:cargo/rustls-webpki

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.103.12
Introduced
0.104.0-alpha.1
Fixed
0.104.0-alpha.6

Ecosystem specific 

{
    "affects": {
        "functions": [],
        "arch": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

informational 
null
categories 
[]
cvss 
null
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0098.json"