## Cryptography Library Flaw Exposed: DNS Constraint Bypass in Python's PyCA Package (CVE-2026-34073) A critical vulnerability in a foundational Python cryptography library has been patched, exposing a flaw that could allow attackers to bypass DNS name constraints during certificate validation. The security advisory, tracked as CVE-2026-34073, was issued for the `pyca/cryptography` package. The core failure was that the library's validation logic only checked DNS name constraints against Subject Alternative Names (SANs) within child certificates, while ignoring the "peer name" presented during each validation step. This oversight created a potential pathway for spoofing. Specifically, the vulnerability resided in versions of the `cryptography` package prior to 46.0.5. The flaw meant that a system could incorrectly validate a certificate for a peer named, for example, `bar.example.com` against a wildcard leaf certificate that should not have been authorized for that specific name. This bypass of intended DNS constraints undermines a core security mechanism for verifying the identity of remote servers and services in TLS/SSL and other certificate-based authentication scenarios. The patch, released as version 46.0.6, corrects this validation logic to properly check the peer name. The update is marked as a security fix, prompting immediate scrutiny and action from development and security teams globally. This incident highlights the latent risks in widely adopted, low-level cryptographic dependencies that form the bedrock of secure communications across countless Python applications, from web services to internal tooling. The silent nature of such a validation failure makes it a high-priority update, as exploitation could lead to man-in-the-middle attacks or unauthorized access without obvious signs of compromise. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: vulnerability, cryptography, python, CVE-2026-34073, security - **Credibility**: unverified - **Published**: 2026-03-31 08:27:06 - **ID**: 42731 - **URL**: https://whisperx.ai/en/intel/42731