CVE-2026-3446
6
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | 0 < 3.13.13 | affected |
| Python Software Foundation | CPython | 3.14.0 < 3.14.4 | affected |
| Python Software Foundation | CPython | 3.15.0a1 < 3.15.0a8 | affected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/python/cpython/pull/145267
- https://github.com/python/cpython/issues/145264
- https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/
- https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474
- https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e
- https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.