RUSTSEC-2026-0104 - Debian Rust Security Tracker

RUSTSEC-2026-0104: Reachable panic in certificate revocation list parsing

8 affected

Crate: rustls-webpki
Patched Versions: >=0.103.13, <0.104.0-alpha.1
>=0.104.0-alpha.7
Debian Version: 0.103.13+ds-1
0.101.7-7
Issued: 2026-04-22
Aliases: GHSA-82j2-j2ch-gfr8
Patched:Affected

A panic was reachable when parsing certificate revocation lists via [BorrowedCertRevocationList::from_der] or [OwnedCertRevocationList::from_der]. This was the result of mishandling a syntactically valid empty BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL extension.

This panic is reachable prior to a CRL's signature being verified.

Applications that do not use CRLs are not affected.

Thank you to @tynus3 for the report.

Affected Packages

rustls-webpki 0.103.10 hypothesis-client 0.12.0-4+b2

affected ⚠️ librust-rustls-webpki-0.101-dev 0.101.7-7

rustls-webpki 0.103.10 nethsm-pkcs11 2.0.0-2+b2

rustls-webpki 0.103.10 numbat 1.11.0-5+b1

rustls-webpki 0.103.10 prr 0.20.0-2+b2

rustls-webpki 0.103.10 signal-tlsd 0.1.1-1

rustls-webpki 0.103.10 tealdeer 1.8.1-1+b1

rustls-webpki 0.103.10 wasm-bindgen 0.2.108+ds-2+b1