## PyCA cryptography 46.0.6 Patches Critical X.509 Wildcard Certificate Validation Flaw (CVE-2026-34073) The widely-used PyCA cryptography library has released a critical security update to patch a vulnerability in X.509 certificate validation. The flaw, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints during peer verification under a specific, non-standard certificate configuration. The bug was present when a leaf certificate contained a wildcard DNS Subject Alternative Name (SAN). In this scenario, the system's name constraints—rules that restrict which domain names a certificate authority can certify—were not correctly applied to the peer's name during the verification handshake. This creates a potential avenue for spoofing or impersonation within constrained PKI environments. The vulnerability was discovered and reported by security researcher Oleh Konko (1seal). It's important to note that the maintainers explicitly state ordinary X.509 topologies, including the entire Web PKI used for HTTPS on the internet, are not affected by this bug. The risk is confined to more specialized, non-web public key infrastructures that utilize both wildcard DNS SANs and name constraint extensions. The fix, released in version 46.0.6, ensures these constraints are properly enforced in all cases, closing the validation gap. This patch follows closely on the heels of another security enhancement in version 46.0.5, which added checks to prevent attacks against private keys when using uncommon binary elliptic curves. The consecutive security-focused releases signal active maintenance and responsiveness to edge-case threats in the foundational cryptographic layer used by countless Python applications. While the immediate impact is limited to niche deployments, the update is mandatory for any system relying on the affected library within a constrained PKI, underscoring the persistent need to scrutinize even well-established cryptographic primitives for subtle logic flaws. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-34073, X.509, PKI, Python, Security Patch - **Credibility**: unverified - **Published**: 2026-04-14 13:22:52 - **ID**: 63815 - **URL**: https://whisperx.ai/en/intel/63815