CVE-2026-34073

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions cryptography versions prior to 46.0.5

Description Versions of cryptography before 46.0.5 had a flaw in how DNS name constraints were validated. The validation only checked against Subject Alternative Names (SANs) in child certificates, not the peer name presented during validation. This allowed a peer name like bar.example.com to be accepted by a wildcard leaf certificate for *.example.com, even if a parent certificate excluded bar.example.com. This occurred because of differing interpretations between RFC 5280 and RFC 9525 regarding the application of Name Constraints to peer names.

Recommendations Upgrade to version 46.0.6 or newer.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CLEANSTART-2026-AN27706

CVE-2026-34073

ECHO-4B9F-FBF8-C429

GHSA-M959-CC7F-WV43

OPENSUSE-SU-2026:10454-1

OPENSUSE-SU-2026:20506-1

PYSEC-2026-35

RHSA-2026:7295

SUSE-SU-2026:21021-1

SUSE-SU-2026:21116-1

SUSE-SU-2026:21126-1

SUSE-SU-2026:21165-1

Affected Products

Cryptography

CVE-2026-34073

Weakness Enumeration

Related Identifiers

Affected Products

References · 80