Chrome has published an update to their root program today.
https://www.chromium.org/Home/chromium-security/root-ca-policy/
Notably, this contains a timeline for deprecating use of the TLS Client Auth extended-key-usage inside the PKIs included in their program.
If you currently use TLS Client Auth from a publicly trusted CA, you may need to take action.
... certificates issued on or after June 15, 2026 MUST include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.
Let's Encrypt will be making announcements in the next few weeks as to our strategy for compliance with this new policy.