RUSTSEC-2026-0098

Name constraints for URI names were incorrectly accepted

Reported

April 14, 2026

Issued

April 15, 2026

Package

rustls-webpki (crates.io)

Type

Vulnerability

Keywords

#name-constraints #x509

Aliases

GHSA-965h-392x-2mh5

Patched

>=0.103.12, <0.104.0-alpha.1
>=0.104.0-alpha.6

Description

Name constraints for URI names were ignored and therefore accepted.

Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally.

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.

This vulnerability is identified as GHSA-965h-392x-2mh5. Thank you to @1seal for the report.

Advisory available under CC0-1.0 license.