RUSTSEC-2026-0049
- Source
- https://rustsec.org/advisories/RUSTSEC-2026-0049
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0049.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/RUSTSEC-2026-0049
- Aliases
- Published
- 2026-03-20T12:00:00Z
- Modified
- 2026-03-24T08:30:18.382158Z
- Summary
- CRLs not considered authoritative by Distribution Point due to faulty matching logic
- Details
-
If a certificate had more than one
distributionPoint, then only the firstdistributionPointwould be considered against each CRL'sIssuingDistributionPointdistributionPoint, and then the certificate's subsequentdistributionPoints would be ignored.The impact was that correctly provided CRLs would not be consulted to check revocation. With
UnknownStatusPolicy::Deny(the default) this would lead to incorrect but safeError::UnknownRevocationStatus. WithUnknownStatusPolicy::Allowthis would lead to inappropriate acceptance of revoked certificates.This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
This vulnerability is identified as GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
- Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / rustls-webpki
Package
- Name
- rustls-webpki
- View open source insights on deps.dev
- Purl
- pkg:cargo/rustls-webpki