## Cryptography Library Security Patch: CVE-2026-34073 Fixes Wildcard DNS SAN Verification Flaw
A critical security update has been released for the widely-used Python cryptography library, addressing a vulnerability that could undermine certificate verification in specific, non-standard configurations. The patch, version 46.0.6, fixes a bug where name constraints were not correctly applied to peer names during verification when a leaf certificate contains a wildcard DNS SAN. This flaw, tracked as CVE-2026-34073, was reported by researcher Oleh Konko (1seal). The core Web PKI infrastructure and standard X.509 certificate topologies are reportedly not affected, limiting the immediate blast radius but highlighting a niche attack vector.

The update is part of a broader security hardening effort. A previous release, version 46.0.5, addressed a separate vulnerability involving binary elliptic curves. In that scenario, an attacker could craft a malicious public key that might leak portions of a user's private key during cryptographic operations. The library maintainers have now integrated additional security checks to prevent this class of attack, which specifically impacts the less common binary curve implementations.

For development and security teams, this underscores the persistent need for diligent dependency management. While the primary Web PKI remains secure, applications relying on custom or complex certificate chains with wildcard SANs must apply this patch to maintain verification integrity. The consecutive security-focused releases signal active maintenance and a responsive security posture from the PyCA cryptography project, but they also serve as a reminder that foundational cryptographic components require constant vigilance.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, cryptography, CVE-2026-34073, Python
- **Credibility**: unverified
- **Published**: 2026-03-29 03:27:02
- **ID**: 39505
- **URL**: https://whisperx.ai/en/intel/39505