CVE-2026-10592
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
Risk Assessment
The risk involves the potential acceptance of invalid certificates, which could lead to trust breaches and man-in-the-middle attacks.
Recommendation
It is recommended to immediately update certificate management systems and verify the correct implementation of name constraints for certificates with wildcard DNS SANs.
Original NVD description (English source)
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.

