## Critical Panic Vulnerability Disclosed in rustls-webpki Certificate Revocation List Parsing
A security audit has identified three vulnerabilities in rustls-webpki, a widely deployed Rust library for X.509 certificate validation and TLS operations. The most severe issue, catalogued as RUSTSEC-2026-0104, allows a reachable panic during certificate revocation list (CRL) parsing in versions prior to 0.103.13 and 0.104.0-alpha.7.

The vulnerability stems from mishandling a syntactically valid empty BIT STRING within the `onlySomeReasons` element of an `IssuingDistributionPoint` CRL extension. Critically, the panic occurs via `BorrowedCertRevocationList::from_der` or `OwnedCertRevocationList::from_der` prior to signature verification, meaning a specially crafted CRL could trigger a denial-of-service condition before cryptographic validation completes. Applications that do not utilize CRL functionality remain unaffected. The flaw was reported by researcher @tynus3.

A second vulnerability, RUSTSEC-2026-0098, concerns incorrect handling of name constraints for URI names, which were reportedly ignored during validation. The third disclosed vulnerability remains partially unspecified in available documentation. Organizations running affected rustls-webpki versions should prioritize patching to the patched releases: 0.103.13 or later, or 0.104.0-alpha.7 and above. Given the library's central role in secure communications infrastructure, the pre-verification trigger path raises concerns for any deployment relying on rustls for TLS certificate chain validation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: rustls-webpki, RUSTSEC-2026-0104, CRL parsing, certificate validation, denial of service
- **Credibility**: unverified
- **Published**: 2026-04-26 05:54:08
- **ID**: 77154
- **URL**: https://whisperx.ai/en/intel/77154