## Cryptography Library Patches Critical X.509 Wildcard Bug (CVE-2026-34073)
A critical security vulnerability in the widely-used Python cryptography library has been patched, exposing a flaw in X.509 certificate verification that could allow attackers to bypass name constraints. The bug, tracked as CVE-2026-34073, was present when a leaf certificate contained a wildcard DNS SAN (Subject Alternative Name). In this specific scenario, the system failed to apply name constraints to peer names during verification, potentially enabling spoofing or man-in-the-middle attacks in non-standard PKI topologies.

The vulnerability was discovered and reported by security researcher Oleh Konko (1seal). The maintainers of the pyca/cryptography project have released version 46.0.6 to address the issue. Notably, the maintainers state that ordinary X.509 topologies, including those underpinning the global Web PKI, are not affected. This limits the immediate blast radius but highlights a critical edge-case failure in a foundational security library.

The patch is part of a broader update that also includes a separate security fix for a less common attack vector involving binary elliptic curves. The coordinated disclosure and rapid patch underscore the ongoing pressure on open-source maintainers to secure cryptographic primitives that form the backbone of modern software infrastructure. Organizations relying on custom or complex certificate chains should prioritize this update to mitigate potential impersonation risks.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, cryptography, python, CVE-2026-34073
- **Credibility**: unverified
- **Published**: 2026-03-29 00:26:52
- **ID**: 39372
- **URL**: https://whisperx.ai/en/intel/39372