—
RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
Details
A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`] or [`OwnedCertRevocationList::from_der`]. This was the result of mishandling a syntactically valid empty `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
This panic is reachable prior to a CRL's signature being verified.
Applications that do not use CRLs are not affected.
Thank you to [@tynus3](https://github.com/tynus3) for the report.
Are you affected?
Enter the version of the package you're using.
Affected packages
crates.io / rustls-webpki
Introduced in:
0.0.0-0 Fixed in: 0.103.13 Upgrade rustls-webpki to 0.103.13 or newer (ecosystem crates.io).