{"id":"RUSTSEC-2026-0049","summary":"CRLs not considered authoritative by Distribution Point due to faulty matching logic","details":"If a certificate had more than one `distributionPoint`, then only the first `distributionPoint` would be considered against each CRL's `IssuingDistributionPoint` `distributionPoint`, and then the certificate's subsequent `distributionPoint`s would be ignored.\n\nThe impact was that correctly provided CRLs would not be consulted to check revocation. With `UnknownStatusPolicy::Deny` (the default) this would lead to incorrect but safe `Error::UnknownRevocationStatus`. With `UnknownStatusPolicy::Allow` this would lead to inappropriate acceptance of revoked certificates.\n\nThis vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug.  An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)\n\nMore likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.\n\nThis vulnerability is identified as [GHSA-pwjx-qhcg-rvj4](https://github.com/rustls/webpki/security/advisories/GHSA-pwjx-qhcg-rvj4). Thank you to @1seal for the report.","aliases":["GHSA-pwjx-qhcg-rvj4"],"modified":"2026-03-24T08:30:09.119350Z","published":"2026-03-20T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rustls-webpki"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0049.html"}],"affected":[{"package":{"name":"rustls-webpki","ecosystem":"crates.io","purl":"pkg:cargo/rustls-webpki"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.102.0-alpha.0"},{"fixed":"0.103.10"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"categories":["privilege-escalation"],"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0049.json"}}],"schema_version":"1.7.5"}