CVE-2026-39892
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pyca | cryptography | >= 45.0.0, < 46.0.7 | affected |
Weaknesses
- CWE-119: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API
Additional References
- https://access.redhat.com/security/cve/CVE-2026-39892
- https://bugzilla.redhat.com/show_bug.cgi?id=2456735
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39892.json
- https://access.redhat.com/errata/RHSA-2026:24761
- https://access.redhat.com/errata/RHSA-2026:24762
- https://access.redhat.com/errata/RHSA-2026:30089
- https://access.redhat.com/errata/RHSA-2026:30088
- https://access.redhat.com/errata/RHSA-2026:24866
- https://access.redhat.com/errata/RHSA-2026:20338
- https://access.redhat.com/errata/RHSA-2026:7295
- https://access.redhat.com/errata/RHSA-2026:24977
- https://access.redhat.com/errata/RHSA-2026:22840
- https://access.redhat.com/errata/RHSA-2026:22629
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:22465
- https://access.redhat.com/errata/RHSA-2026:23361
- https://access.redhat.com/errata/RHSA-2026:24483
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.