Bug 2453276 (CVE-2026-34073)

Summary: CVE-2026-34073 python-cryptography: Cryptography: Security bypass due to improper DNS name constraint validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alinfoot, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, cahl, caswilli, cmyers, cochase, derez, dfreiber, dnakabaa, doconnor, dranck, drow, dschmidt, dtrifiro, eborisov, ebourniv, ehelms, erezende, ggainey, hasun, jburrell, jdobes, jfula, jkoehler, jlanda, jmitchel, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kgaikwad, kshier, lball, lcouzens, lgallett, ljawale, lphiri, luizcosta, mbarnett, mhayden, mhulan, msilmser, ngough, nmoumoul, nweather, nyancey, oezr, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, ptisnovs, rbobbitt, rbryant, rchan, rhel-process-autobot, sbunciak, sdoran, simaishi, smallamp, smcdonal, stcannon, sthirugn, syedriko, teagle, tmalecek, ttakamiy, veshanka, vkumar, watson-tool-maintainers, weaton, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `cryptography` library. This vulnerability occurs because DNS (Domain Name System) name constraints were not properly validated against the "peer name" during certificate validation, only against Subject Alternative Names (SANs) within child certificates. This oversight could allow a malicious actor to bypass security restrictions, enabling a certificate for a specific domain to be validated against a broader wildcard certificate, even when an exclusion for that specific domain exists. This could lead to an attacker impersonating a legitimate server or service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2453609, 2453610, 2453611    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-31 03:01:49 UTC
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.