{"id":"UBUNTU-CVE-2026-34073","details":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.","modified":"2026-04-13T14:33:29.011599Z","published":"2026-03-31T03:15:00Z","withdrawn":"2026-04-13T09:32:07Z","upstream":["CVE-2026-34073"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-34073"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-34073"},{"type":"REPORT","url":"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"}],"affected":[{"package":{"name":"python-cryptography","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-cryptography@1.2.3-1ubuntu0.3+esm1?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.1-1ubuntu1","1.0.2-1","1.1-1","1.1.1-1","1.1.1-1ubuntu1","1.1.1-1ubuntu2","1.1.1-1ubuntu3","1.2.2-2","1.2.3-1","1.2.3-1ubuntu0.1","1.2.3-1ubuntu0.2","1.2.3-1ubuntu0.3","1.2.3-1ubuntu0.3+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-cryptography","binary_version":"1.2.3-1ubuntu0.3+esm1"},{"binary_name":"python3-cryptography","binary_version":"1.2.3-1ubuntu0.3+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34073.json"}},{"package":{"name":"python-cryptography","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-cryptography@2.1.4-1ubuntu1.4+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9-1","2.1.3-3","2.1.4-1","2.1.4-1build1","2.1.4-1build2","2.1.4-1ubuntu1","2.1.4-1ubuntu1.1","2.1.4-1ubuntu1.2","2.1.4-1ubuntu1.3","2.1.4-1ubuntu1.4","2.1.4-1ubuntu1.4+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-cryptography","binary_version":"2.1.4-1ubuntu1.4+esm1"},{"binary_name":"python3-cryptography","binary_version":"2.1.4-1ubuntu1.4+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34073.json"}},{"package":{"name":"python-cryptography","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/python-cryptography@2.8-3ubuntu0.3?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.6.1-3.1","2.6.1-4","2.6.1-4ubuntu1","2.8-1ubuntu2","2.8-2","2.8-3","2.8-3ubuntu0.1","2.8-3ubuntu0.2","2.8-3ubuntu0.3"],"ecosystem_specific":{"binaries":[{"binary_name":"python-cryptography","binary_version":"2.8-3ubuntu0.3"},{"binary_name":"python3-cryptography","binary_version":"2.8-3ubuntu0.3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34073.json"}},{"package":{"name":"python-cryptography","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/python-cryptography@3.4.8-1ubuntu2.4?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.3.2-1","3.3.2-1build1","3.4.8-1","3.4.8-1ubuntu1","3.4.8-1ubuntu2","3.4.8-1ubuntu2.1","3.4.8-1ubuntu2.2","3.4.8-1ubuntu2.3","3.4.8-1ubuntu2.4"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-cryptography","binary_version":"3.4.8-1ubuntu2.4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34073.json"}},{"package":{"name":"python-cryptography","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/python-cryptography@41.0.7-4ubuntu0.4?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["38.0.4-4","38.0.4-4ubuntu1","41.0.7-3","41.0.7-4build2","41.0.7-4build3","41.0.7-4ubuntu0.1","41.0.7-4ubuntu0.3","41.0.7-4ubuntu0.4"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-cryptography","binary_version":"41.0.7-4ubuntu0.4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34073.json"}},{"package":{"name":"python-cryptography","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/python-cryptography@43.0.0-1ubuntu1.2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["43.0.0-1ubuntu1","43.0.0-1ubuntu1.1","43.0.0-1ubuntu1.2"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-cryptography","binary_version":"43.0.0-1ubuntu1.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34073.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}