CVE-2026-33936

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33936
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33936.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33936
Aliases
Downstream
Related
Published
2026-03-27T22:08:22.868Z
Modified
2026-04-10T05:43:19.856986Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
Details

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. ecdsa.der.remove_octet_string() accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause SigningKey.from_der() to raise an internal exception (IndexError: index out of bounds on dimension 1) rather than cleanly rejecting malformed DER (e.g., raising UnexpectedDER or ValueError). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33936.json",
    "cwe_ids": [
        "CWE-130",
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/tlsfuzzer/python-ecdsa

Affected ranges

Type
GIT
Repo
https://github.com/tlsfuzzer/python-ecdsa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bd66899550d7185939bf27b75713a2ac9325a9d3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.19.2"
        }
    ]
}

Affected versions

python-ecdsa-0.*
python-ecdsa-0.10
python-ecdsa-0.11
python-ecdsa-0.12
python-ecdsa-0.13
python-ecdsa-0.14
python-ecdsa-0.14.1
python-ecdsa-0.15
python-ecdsa-0.16.0
python-ecdsa-0.16.1
python-ecdsa-0.17.0
python-ecdsa-0.18.0
python-ecdsa-0.18.0b1
python-ecdsa-0.18.0b2
python-ecdsa-0.19.0
python-ecdsa-0.19.1
python-ecdsa-0.5
python-ecdsa-0.6
python-ecdsa-0.7
python-ecdsa-0.8
python-ecdsa-0.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33936.json"