CVE-2026-32877

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32877
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32877.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32877
Aliases
  • GHSA-7jj6-4r42-w9h6
Downstream
Published
2026-03-30T20:36:43.672Z
Modified
2026-04-10T05:42:31.167885Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field
Details

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32877.json"
}
References

Affected packages

Git / github.com/randombit/botan

Affected ranges

Type
GIT
Repo
https://github.com/randombit/botan
Events
Introduced
9474deacd67433908dec38a409892a334aab679d
Fixed
4f6f5bbaf7263ca6062e6644950ae30625f06490
Database specific 
{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "3.11.0"
        }
    ]
}

Affected versions

2.*
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.16.0
2.17.0
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.8.0
2.9.0
3.*
3.0.0
3.0.0-alpha0
3.0.0-alpha1
3.0.0-rc1
3.1.0
3.1.1
3.10.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.1
3.7.0
3.7.1
3.8.0
3.8.1
3.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32877.json"