CVE-2024-26130

cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override

Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.

Database specific

{
    "cwe_ids": [
        "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26130.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/pyca/cryptography

Affected ranges

Type: GIT
Repo: https://github.com/pyca/cryptography
Events: Introduced

52d6f1a491f6ade379ace124b843ffba9fb4ab4f

Fixed

fe18470f7d05f963e7267e34fdf985d81ea6ceea

Affected versions

38.*

38.0.0

38.0.1

38.0.2

38.0.3

38.0.4

39.*

39.0.0

39.0.1

39.0.2

40.*

40.0.0

40.0.1

40.0.2

41.*

41.0.0

41.0.1

41.0.2

41.0.3

41.0.4

41.0.5

41.0.6

41.0.7

42.*

42.0.0

42.0.1

42.0.2

42.0.3

43.*

43.0.0

43.0.1

43.0.2

43.0.3

44.*

44.0.0

44.0.1

44.0.2

44.0.3

45.*

45.0.0

45.0.1

45.0.2

45.0.3

45.0.4

45.0.5

45.0.6

45.0.7

46.*

46.0.0

46.0.1

46.0.2

46.0.3

46.0.4

46.0.5

46.0.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26130.json"