CVE-2026-26007

EUVD-2026-6238

10.02.2026, 22:17

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
cryptography.io	cryptography	𝑥 < 46.0.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-cryptography

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	postponed
bullseye (security)	vulnerable
forky	46.0.7-1 fixed
sid	46.0.7-1 fixed
trixie	43.0.0-3+deb13u1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

fence-agents-aliyun

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-all

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-amt-ws

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-apc

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-apc-snmp

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-aws

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-azure-arm

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-bladecenter

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-brocade

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-cisco-mds

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-cisco-ucs

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-common

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-compute

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-drac5

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-eaton-snmp

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-emerson

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-eps

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-gce

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-heuristics-ping

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-hpblade

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ibm-powervs

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ibm-vpc

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ibmblade

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ifmib

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ilo-moonshot

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ilo-mp

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ilo-ssh

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ilo2

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-intelmodular

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ipdu

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-ipmilan

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-kdump

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-kubevirt

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-lpar

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-mpath

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-nutanix-ahv

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-openstack

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-redfish

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-rhevm

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-rsa

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-rsb

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-sbd

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-scsi

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-virsh

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-vmware-rest

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-vmware-soap

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-wti

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-agents-zvm

RHEL 8	0:4.2.1-129.el8_10.25 fixed
RHEL 9	0:4.10.0-110.el9_8.2 fixed

fence-virt

RHEL 9

0:4.10.0-110.el9_8.2

fixed

fence-virtd

RHEL 9

0:4.10.0-110.el9_8.2

fixed

fence-virtd-cpg

RHEL 9

0:4.10.0-110.el9_8.2

fixed

fence-virtd-libvirt

RHEL 9

0:4.10.0-110.el9_8.2

fixed

fence-virtd-multicast

RHEL 9

0:4.10.0-110.el9_8.2

fixed

fence-virtd-serial

RHEL 9

0:4.10.0-110.el9_8.2

fixed

fence-virtd-tcp

RHEL 9

0:4.10.0-110.el9_8.2

fixed

ha-cloud-support

RHEL 9

0:4.10.0-110.el9_8.2

fixed

Common Weakness Enumeration

CWE-345 - Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Vulnerability Media Exposure

[GERMAN] Red Hat Ansible Automation Platform: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Ansible Automation Platform ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder Cross-Site-Scripting-Angriffe durchzuführen.
Published: 2026-03-31T22:00:00+00:00

References

https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c

https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2

http://www.openwall.com/lists/oss-security/2026/02/10/4