Wasmtime GitHub notifications bot (Apr 16 2026 at 00:23): Wasmtime GitHub notifications bot (Apr 16 2026 at 00:23):github-actions[bot] opened issue #13117:
Name constraints were accepted for certificates asserting a wildcard name
Details Package rustls-webpkiVersion 0.103.10Date 2026-04-14 Patched versions >=0.103.12, <0.104.0-alpha.1,>=0.104.0-alpha.6Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of
accept.example.com,*.example.comcould feasibly allow a name ofreject.example.comwhich is outside the constraint.
This is very similar to CVE-2025-61727.Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
This vulnerability is identified as GHSA-xgp8-3hg3-c2mh. Thank you to @1seal for the report.
See advisory page for additional details.
Wasmtime GitHub notifications bot (Apr 20 2026 at 18:10):pchickey closed issue #13117:
Name constraints were accepted for certificates asserting a wildcard name
Details Package rustls-webpkiVersion 0.103.10Date 2026-04-14 Patched versions >=0.103.12, <0.104.0-alpha.1,>=0.104.0-alpha.6Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
This was incorrect because, given a name constraint of
accept.example.com,*.example.comcould feasibly allow a name ofreject.example.comwhich is outside the constraint.
This is very similar to CVE-2025-61727.Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
This vulnerability is identified as GHSA-xgp8-3hg3-c2mh. Thank you to @1seal for the report.
See advisory page for additional details.
Last updated: May 03 2026 at 22:13 UTC