GHSA-xgp8-3hg3-c2mh: webpki: Name constraints were accepted for certificates asserting a wildcard name

April 16, 2026

Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.

This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.

References

github.com/advisories/GHSA-xgp8-3hg3-c2mh
github.com/rustls/webpki
github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh
rustsec.org/advisories/RUSTSEC-2026-0099.html

Code Behaviors & Features

Detect and mitigate GHSA-xgp8-3hg3-c2mh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →