GHSA-p423-j2cm-9vmq

MEDIUM6.9

Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs

Published Apr 8, 2026

Modified 1 months ago

Fix available

Details

If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example:

h = Hash(SHA256())
b.update(buf[::-1])

would read past the end of the buffer on Python >3.11

Affected Packages

cryptography

PyPI

Fixed in:

46.0.7

References

WEB

http://www.openwall.com/lists/oss-security/2026/04/08/12

ADVISORY

https://github.com/advisories/GHSA-p423-j2cm-9vmq

PACKAGE

https://github.com/pyca/cryptography

WEB

https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-39892

Aliases

CVE-2026-39892

CVSS Analysis

CVSS v4.0

6.9

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

NoneVI:N

Vuln. Availability

LowVA:L

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

6.9/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE-2026-39892

Ecosystems

PyPI

Timeline

PublishedApr 8, 2026

ModifiedApr 9, 2026

GHSA-p423-j2cm-9vmq | Mondoo Vulnerability Intelligence