RUSTSEC-2026-0099

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0099
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0099.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0099
Aliases
Published
2026-04-14T12:00:00Z
Modified
2026-04-15T10:00:06.619583Z
Summary
Name constraints were accepted for certificates asserting a wildcard name
Details

Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.

This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.

This vulnerability is identified as GHSA-xgp8-3hg3-c2mh. Thank you to @1seal for the report.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / rustls-webpki

Package

Name
rustls-webpki
View open source insights on deps.dev
Purl
pkg:cargo/rustls-webpki

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.103.12
Introduced
0.104.0-alpha.1
Fixed
0.104.0-alpha.6

Ecosystem specific 

{
    "affects": {
        "functions": [],
        "arch": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

informational 
null
categories 
[]
cvss 
null
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0099.json"