CVE-2026-39892 - Vulnerability Details

- cryptography has a buffer overflow if non-contiguous buffers were passed to APIs

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Published: 2026-04-08

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the cryptography library allows a buffer overflow when a non‑contiguous Python buffer is provided to APIs that accept buffer objects, such as Hash.update(). This overflow can corrupt memory and potentially lead to arbitrary code execution or a crash. The weakness is characterized by CWE‑119 and CWE‑131, indicating improper handling of buffer sizes and memory boundaries.

Affected Systems

The affected product is the pyca:cryptography library. Versions from 45.0.0 up to, but not including, 46.0.7 are vulnerable. The issue has been addressed in release 46.0.7.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate impact if exploited. EPSS indicates the likelihood of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local or application‑level: any Python program that uses cryptography and passes a non‑contiguous buffer to a relevant API could trigger the overflow. Due to the nature of the overflow, successful exploitation could compromise application or system integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyca

cryptography

affected

Version	Status	Constraints
`>= 45.0.0, < 46.0.7`	affected	—

Configuration 1 [-]

cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*

No data.

Vendor Product Confidence Versions

Pyca

Cryptography

100%

Version	Status	Scheme	Platform
`[45.0.0,46.0.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pyca:cryptography to version 46.0.7 or newer. If an upgrade is not immediately possible, ensure that no non‑contiguous buffers are passed to cryptography APIs. Monitor the package’s release notes for future updates.

Generated by OpenCVE AI on April 10, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p423-j2cm-9vmq	Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/08/12
https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5
https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq
https://nvd.nist.gov/vuln/detail/CVE-2026-39892
https://www.cve.org/CVERecord?id=CVE-2026-39892

History

Wed, 15 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cryptography.io Cryptography.io cryptography
CPEs		cpe:2.3:a:cryptography.io:cryptography::::::python::*
Vendors & Products		Cryptography.io Cryptography.io cryptography
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 10 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5 https://nvd.nist.gov/vuln/detail/CVE-2026-39892 https://www.cve.org/CVERecord?id=CVE-2026-39892
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyca Pyca cryptography
Vendors & Products		Pyca Pyca cryptography

Wed, 08 Apr 2026 22:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/08/12

Wed, 08 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
Title		cryptography has a buffer overflow if non-contiguous buffers were passed to APIs
Weaknesses		CWE-119
References		https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Cryptography.io Cryptography

Pyca Cryptography

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T20:49:41.967Z

Updated: 2026-04-09T19:52:22.602Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39892

Vulnrichment

Updated: 2026-04-08T21:16:07.164Z

NVD

Status : Analyzed

Published: 2026-04-08T21:17:01.547

Modified: 2026-04-15T16:12:39.677

Link: CVE-2026-39892

Redhat

Severity : Moderate

Publid Date: 2026-04-08T20:49:41Z

Links: CVE-2026-39892 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-10T09:40:32Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object