VDB
KO

RUSTSEC-2026-0104

Reachable panic in certificate revocation list parsing

Details

A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`] or [`OwnedCertRevocationList::from_der`]. This was the result of mishandling a syntactically valid empty `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.

This panic is reachable prior to a CRL's signature being verified.

Applications that do not use CRLs are not affected.

Thank you to [@tynus3](https://github.com/tynus3) for the report.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / rustls-webpki
Introduced in: 0.0.0-0 Fixed in: 0.103.13

Upgrade rustls-webpki to 0.103.13 or newer (ecosystem crates.io).

References