An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
GHSA-5mh9-3jwc-rp59: An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard...
An excluded subdomain constraint in a certificate chain does not prevent the usage of wildcard SANs in the leaf certificate, potentially allowing unauthorized access to subdomains.