## RUSTSEC-2026-0099: rustls-webpki Flaw Allowed Wildcard Certificates to Bypass DNS Name Constraints A critical validation flaw in `rustls-webpki`, the widely deployed Rust library for TLS certificate chain verification, permitted wildcard certificate names to bypass DNS name constraints that should have restricted them. The vulnerability, designated RUSTSEC-2026-0099, was identified in version 0.103.10 and patched across multiple release tracks by April 14, 2026. The defect allowed permitted subtree name constraints for DNS names to be incorrectly accepted when the asserted certificate name was a wildcard. The flaw creates a logical gap: a name constraint of `accept.example.com` combined with a wildcard certificate `*.example.com` could feasibly validate `reject.example.com`, a hostname explicitly outside the intended constraint boundary. This bypass is possible only after signature verification has already succeeded, meaning the attacker would need a properly signed certificate containing a wildcard pattern to exploit the weakness. The issue mirrors CVE-2025-61727, a similar vulnerability disclosed in the Go standard library's crypto/x509 package, suggesting a systemic gap in how wildcard expansion interacts with name constraint enforcement across certificate validation implementations. The patched versions are `>=0.103.12` for the stable 0.103.x branch, and `>=0.104.0-alpha.6` for the 0.104.x alpha series (excluding `0.104.0-alpha.1` through `0.104.0-alpha.5`). Any application or service relying on rustls-webpki for TLS certificate validation—particularly those enforcing custom certificate authority name constraints in enterprise or regulated environments—faces potential exposure if wildcard certificates are used within constrained namespaces. The vulnerability underscores the sensitivity of boundary conditions in X.509 validation logic, where seemingly minor edge cases in pattern matching can undermine constraint-based access controls. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: rustls-webpki, RUSTSEC-2026-0099, TLS, certificate validation, wildcard certificates - **Credibility**: unverified - **Published**: 2026-04-22 17:27:36 - **ID**: 76035 - **URL**: https://whisperx.ai/en/intel/76035