Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
Published: 2026-04-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Buffer overflow (potential memory corruption)
Action: Patch
AI Analysis

Impact

A buffer overflow condition exists in the PyCA Cryptography Python package when a non‑contiguous buffer is supplied to APIs that accept Python buffers, such as the Hash.update() method. The affected code erroneously treats the non‑contiguous buffer as contiguous, allowing an attacker who can craft such a buffer to corrupt memory. This weakness is identified as CWE‑119.

Affected Systems

The vulnerability affects versions of PyCA Cryptography ranging from 45.0.0 up to, but not including, 46.0.7. Any Python application using a pre‑46.0.7 release and invoking cryptographic functions with non‑contiguous buffers is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply a crafted non‑contiguous buffer to a vulnerable API, which may be feasible in contexts where input is controllable. The risk is moderate and should be mitigated by updating the library.

Generated by OpenCVE AI on April 8, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PyCA Cryptography package to version 46.0.7 or later.
  • Confirm that no earlier versions of the package remain installed in the environment.
  • When possible, avoid passing non‑contiguous buffers to cryptographic APIs such as Hash.update().

Generated by OpenCVE AI on April 8, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p423-j2cm-9vmq Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Pyca
Pyca cryptography
Vendors & Products Pyca
Pyca cryptography

Wed, 08 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
Title cryptography has a buffer overflow if non-contiguous buffers were passed to APIs
Weaknesses CWE-119
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pyca Cryptography
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T21:16:07.164Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39892

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:17:01.547

Modified: 2026-04-08T22:16:21.907

Link: CVE-2026-39892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:11Z

Weaknesses