pyca/cryptography: CVE-2026-34073: X.509: bypass of name constraints on wildcard SANs with matching peer names

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43
advises:
> Package:                cryptography (pip)
> Affected versions:      <= 46.0.5
> Patched versions:       >= 46.0.6
> Severity:               Low
> CVE ID:                 CVE-2026-34073
> Weaknesses:             CWE-295
>
> Summary
> -------
> In versions of cryptography prior to 46.0.5, DNS name constraints were
> only validated against SANs within child certificates, and not the
> "peer name" presented during each validation. Consequently,
> cryptography would allow a peer named bar.example.com to validate
> against a wildcard leaf certificate for *.example.com, even if the
> leaf's parent certificate (or upwards) contained an excluded subtree
> constraint for bar.example.com.
>
> This behavior resulted from a gap between RFC 5280 (which defines Name
> Constraint semantics) and RFC 9525 (which defines service identity
> semantics): put together, neither states definitively whether Name
> Constraints should be applied to peer names. To close this gap,
> cryptography now conservatively rejects any validation where the peer
> name would be rejected by a name constraint if it were a SAN instead.
>
> In practice, exploitation of this bypass requires an uncommon X.509
> topology, one that the Web PKI avoids because it exhibits these kinds
> of problems. Consequently, we consider this a medium-to-low impact
> severity.
>
> See CVE-2025-61727 for a similar bypass in Go's crypto/x509.
>
> Remediation
> -----------
> Users should upgrade to 46.0.6 or newer.
>
> Attribution
> -----------
> Reporter: 1seal (https://github.com/1seal)