UNKNOWN PyPI
Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
GHSA-p423-j2cm-9vmq · CVE-2026-39892 · PYSEC-2026-36
Published · Modified
Description
If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example:
h = Hash(SHA256())
b.update(buf[::-1])
would read past the end of the buffer on Python >3.11
References
- WEB https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-39892
- PACKAGE https://github.com/pyca/cryptography
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2026-36.yaml
- WEB http://www.openwall.com/lists/oss-security/2026/04/08/12
Ready to move
Start Securing
Free, no credit card | First findings in minutes