{"id":"RUSTSEC-2026-0099","summary":"Name constraints were accepted for certificates asserting a wildcard name","details":"Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.\n\nThis was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.\nThis is very similar to [CVE-2025-61727](https://go.dev/issue/76442).\n\nSince name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.\n\nThis vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.","aliases":["GHSA-xgp8-3hg3-c2mh"],"modified":"2026-04-15T10:00:06.619583Z","published":"2026-04-14T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rustls-webpki"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0099.html"}],"affected":[{"package":{"name":"rustls-webpki","ecosystem":"crates.io","purl":"pkg:cargo/rustls-webpki"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.103.12"},{"introduced":"0.104.0-alpha.1"},{"fixed":"0.104.0-alpha.6"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0099.json","cvss":null,"informational":null,"categories":[]}}],"schema_version":"1.7.5"}