CVE-2026-39892

EUVD-2026-20640
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
cryptography.iocryptography
45.0.0 ≤
𝑥
< 46.0.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-cryptography
bookworm
38.0.4-3+deb12u1
fixed
bookworm (security)
38.0.4-3~deb12u1
fixed
bullseye
3.3.2-1
fixed
bullseye (security)
3.3.2-1+deb11u1
fixed
forky
46.0.7-1
fixed
sid
46.0.7-1
fixed
trixie
43.0.0-3+deb13u1
fixed
Common Weakness Enumeration
References
https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq
http://www.openwall.com/lists/oss-security/2026/04/08/12