Wasmtime GitHub notifications bot (Mar 21 2026 at 00:13): Wasmtime GitHub notifications bot (Mar 21 2026 at 00:13):github-actions[bot] opened issue #12814:
CRLs not considered authorative by Distribution Point due to faulty matching logic
Details Package rustls-webpkiVersion 0.102.2Date 2026-03-20 Patched versions >=0.103.10If a certificate had more than one
distributionPoint, then only the firstdistributionPointwould be considered against each CRL'sIssuingDistributionPointdistributionPoint, and then the certificate's subsequentdistributionPoints would be ignored.The impact was that correct provided CRLs would not be consulted to check revocation. With
UnknownStatusPolicy::Deny(the default) this would lead to incorrect but safeError::UnknownRevocationStatus. WithUnknownStatusPolicy::Allowthis would lead to inappropriate acceptance of revoked certificates.This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
See advisory page for additional details.
Last updated: Mar 23 2026 at 16:19 UTC