Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.
Published: 2026-02-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Signature forgery and private key leakage via small‑subgroup misuse
Action: Immediate Patch
AI Analysis

Impact

The cryptography library omitted verification that input points belong to the prime‑order subgroup during key construction. Attackers can supply a point from a small‑subgroup curve. When used in ECDSA, this allows forging signatures; when used in ECDH it leaks the private key modulo the small subgroup, revealing least significant bits for curves with a cofactor greater than one. The vulnerability affects only SECT curves and can compromise signature verification or key agreement implementations that rely on pyca:cryptography.

Affected Systems

Python applications that import the cryptography package before version 46.0.5 and use the public_key_from_numbers, EllipticCurvePublicNumbers.public_key, load_der_public_key, or load_pem_public_key functions with SECT curves are vulnerable. Users of the library for ECDSA or ECDH operations are impacted.

Risk and Exploitability

With an 8.2 CVSS score, the flaw is high severity. The EPSS score is under 1 %, indicating a low current exploitation probability, and it is not listed in the CISA KEV catalog. An attacker can exploit it by supplying a crafted public key to any endpoint or library that loads or verifies a key via the affected functions. The attack is feasible in both remote environments (where a client can supply a malicious public key) and local contexts (if local code uses vulnerable functions).

Generated by OpenCVE AI on April 18, 2026 at 12:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to cryptography 46.0.5 or later to install the subgroup validation fix.
  • Re‑run any components that load or verify public keys to confirm they no longer create or accept keys from small‑subgroup curves; consider logging or recording key validity.
  • Add custom validation for public keys if the upstream library cannot be upgraded, ensuring the point lies on the curve’s prime‑order subgroup before use.

Generated by OpenCVE AI on April 18, 2026 at 12:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r6ph-v2qm-q3c2 cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
Ubuntu USN Ubuntu USN USN-8087-1 python-cryptography vulnerability
History

Mon, 23 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Cryptography.io
Cryptography.io cryptography
CPEs cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*
Vendors & Products Cryptography.io
Cryptography.io cryptography
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Pyca
Pyca cryptography
Vendors & Products Pyca
Pyca cryptography
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-354
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important

Wed, 11 Feb 2026 00:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.
Title cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cryptography.io Cryptography
Pyca Cryptography
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T21:28:47.345Z

Reserved: 2026-02-09T21:36:29.552Z

Link: CVE-2026-26007

cve-icon Vulnrichment

Updated: 2026-02-10T23:14:21.776Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T22:17:00.307

Modified: 2026-02-23T15:40:33.787

Link: CVE-2026-26007

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-10T21:42:56Z

Links: CVE-2026-26007 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses