## Cryptography Library Patches Critical X.509 Wildcard Certificate Flaw (CVE-2026-34073)
A critical security vulnerability in the widely-used Python cryptography library has been patched, addressing a flaw that could undermine certificate validation in specific, non-standard configurations. The issue, tracked as CVE-2026-34073, was a bug where X.509 name constraints were not correctly applied to peer names during verification if the leaf certificate contained a wildcard DNS Subject Alternative Name (SAN). This failure could potentially allow an attacker to bypass intended trust boundaries, though the maintainers emphasize that standard Web PKI topologies and common use cases are not affected.

The flaw was discovered and reported by security researcher Oleh Konko (1seal). The patch was released in version 46.0.6 of the cryptography library, which is maintained by the PyCA (Python Cryptographic Authority) organization. The update bumps the library from version 40.0.2, indicating a significant jump that includes multiple security and feature updates. The changelog for this version is dominated by this single, high-priority security fix, highlighting its severity within the project's maintenance cycle.

While the immediate risk is contained to specialized or custom PKI deployments, the patch triggers a mandatory dependency upgrade for thousands of Python projects and their downstream applications. This forces a cascade of security reviews and deployment cycles across the software supply chain. The incident underscores the persistent, hidden risks in foundational cryptographic dependencies and the critical importance of monitoring and applying such security updates promptly, even for libraries considered mature and stable.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, python, cryptography, CVE-2026-34073
- **Credibility**: unverified
- **Published**: 2026-03-28 08:27:06
- **ID**: 38867
- **URL**: https://whisperx.ai/en/intel/38867