{"id":"RUSTSEC-2026-0044","summary":"AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN","details":"A logic error in CN (Common Name) validation allows certificates with\nwildcard or raw UTF-8 Unicode CN values to bypass name constraints\nenforcement. The `cn2dnsid` function does not recognize these CN patterns\nas valid DNS identifiers, causing `NAME_CONSTRAINTS_check_CN` to skip\nvalidation. However, `X509_check_host` accepts these CN values when no\ndNSName SAN is present, allowing certificates to bypass name constraints\nwhile still being used for hostname verification.\n\nCustomers of AWS services do not need to take action. Applications using\n`aws-lc-sys` should upgrade to the most recent release of `aws-lc-sys`.\n\n## Workarounds\n\nApplications that set `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` to disable CN\nfallback are not affected. Applications that only encounter certificates\nwith dNSName SANs (standard for public WebPKI) are also not affected.\n\nOtherwise, there is no workaround and applications using `aws-lc-sys` should\nupgrade to the most recent releases of `aws-lc-sys`.","aliases":["GHSA-394x-vwmw-crm3"],"modified":"2026-03-20T17:15:07.834445Z","published":"2026-03-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/aws-lc-sys"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0044.html"},{"type":"ADVISORY","url":"https://github.com/aws/aws-lc-rs/security/advisories/GHSA-394x-vwmw-crm3"}],"affected":[{"package":{"name":"aws-lc-sys","ecosystem":"crates.io","purl":"pkg:cargo/aws-lc-sys"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.32.0"},{"fixed":"0.39.0"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0044.json","categories":["crypto-failure"],"cvss":null}}],"schema_version":"1.7.5"}