rustsec-2026-0044
Vulnerability from osv_rustsec
A logic error in CN (Common Name) validation allows certificates with
wildcard or raw UTF-8 Unicode CN values to bypass name constraints
enforcement. The cn2dnsid function does not recognize these CN patterns
as valid DNS identifiers, causing NAME_CONSTRAINTS_check_CN to skip
validation. However, X509_check_host accepts these CN values when no
dNSName SAN is present, allowing certificates to bypass name constraints
while still being used for hostname verification.
Customers of AWS services do not need to take action. Applications using
aws-lc-sys should upgrade to the most recent release of aws-lc-sys.
Workarounds
Applications that set X509_CHECK_FLAG_NEVER_CHECK_SUBJECT to disable CN
fallback are not affected. Applications that only encounter certificates
with dNSName SANs (standard for public WebPKI) are also not affected.
Otherwise, there is no workaround and applications using aws-lc-sys should
upgrade to the most recent releases of aws-lc-sys.
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [
"crypto-failure"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "aws-lc-sys",
"purl": "pkg:cargo/aws-lc-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0.32.0"
},
{
"fixed": "0.39.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-394x-vwmw-crm3"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "A logic error in CN (Common Name) validation allows certificates with\nwildcard or raw UTF-8 Unicode CN values to bypass name constraints\nenforcement. The `cn2dnsid` function does not recognize these CN patterns\nas valid DNS identifiers, causing `NAME_CONSTRAINTS_check_CN` to skip\nvalidation. However, `X509_check_host` accepts these CN values when no\ndNSName SAN is present, allowing certificates to bypass name constraints\nwhile still being used for hostname verification.\n\nCustomers of AWS services do not need to take action. Applications using\n`aws-lc-sys` should upgrade to the most recent release of `aws-lc-sys`.\n\n## Workarounds\n\nApplications that set `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` to disable CN\nfallback are not affected. Applications that only encounter certificates\nwith dNSName SANs (standard for public WebPKI) are also not affected.\n\nOtherwise, there is no workaround and applications using `aws-lc-sys` should\nupgrade to the most recent releases of `aws-lc-sys`.",
"id": "RUSTSEC-2026-0044",
"modified": "2026-03-20T17:11:58Z",
"published": "2026-03-19T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/aws-lc-sys"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0044.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/aws/aws-lc-rs/security/advisories/GHSA-394x-vwmw-crm3"
}
],
"related": [],
"severity": [],
"summary": "AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.