CVE-2026-34073

Publication date 31 March 2026

Last updated 10 April 2026

Ubuntu priority

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-cryptography	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

Notes

mdeslaur

x509 path validation appears to have been introduced in 42.0.0 See the following feature request bug and pull: https://github.com/pyca/cryptography/issues/2381 https://github.com/pyca/cryptography/pull/8873 In addition, this CVE appears to have been introduced here: https://github.com/pyca/cryptography/commit/286c89128896fc043c68d9061891badbdfa25dd2 Marking questing and earlier as not-affected.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-cryptography	Upstream: https://github.com/pyca/cryptography/pull/14542 Upstream: 6d97887 Upstream: 91d7288

CVE-2026-34073

Description

Status

Notes

mdeslaur

Patch details

References

Other references

Access our resources on patching vulnerabilities