## Cryptography Library Patches Critical X.509 Wildcard Certificate Validation Flaw (CVE-2026-34073)
The widely-used Python cryptography library has patched a critical security vulnerability in its X.509 certificate validation logic. The flaw, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints when a leaf certificate contains a wildcard DNS SAN. This bypass occurs during peer name verification, potentially enabling impersonation or man-in-the-middle attacks in specific, non-standard certificate topologies. The maintainers emphasize that ordinary X.509 topologies, including those underpinning the global Web PKI, are not affected by this bug.

The vulnerability was reported by security researcher Oleh Konko (1seal) and fixed in version 46.0.6, released on March 25, 2026. The patch ensures that name constraints are correctly applied to peer names during verification, closing the loophole. This update follows a previous security release, version 46.0.5, which addressed a separate issue where malicious public keys on uncommon binary elliptic curves could leak portions of a user's private key.

The consecutive security patches signal heightened scrutiny on the library's handling of edge-case cryptographic operations. While the core Web PKI remains secure, the flaws highlight risks in specialized deployments and non-standard certificate chains. Organizations and developers relying on the `pyca/cryptography` library for TLS, code signing, or other PKI-dependent operations must prioritize upgrading to version 46.0.6 or later to mitigate these specific attack vectors.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-34073, X.509, Python, Security Patch, Cryptography
- **Credibility**: unverified
- **Published**: 2026-03-29 02:27:06
- **ID**: 39459
- **URL**: https://whisperx.ai/en/intel/39459