DEBIAN-CVE-2026-32877

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-32877

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32877.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-32877

Upstream

CVE-2026-32877

Published

2026-03-30T21:17:09.767Z

Modified

2026-04-14T05:03:22.656666Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator

Summary

[none]

Details

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

References

https://security-tracker.debian.org/tracker/CVE-2026-32877

Affected packages

Debian:11 / botan

Package

Name: botan
Purl: pkg:deb/debian/botan?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.17.3+dfsg-2

2.17.3+dfsg-3

2.18.1+dfsg-1

2.18.1+dfsg-2

2.18.1+dfsg-3

2.18.2+dfsg-1

2.19.1+dfsg-1

2.19.1+dfsg-2

2.19.1+dfsg-3

2.19.2+dfsg-1

2.19.3+dfsg-1

2.19.4+dfsg-1

2.19.5+dfsg-1

2.19.5+dfsg-2

2.19.5+dfsg-3

2.19.5+dfsg-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32877.json"

Debian:12 / botan

Package

Name: botan
Purl: pkg:deb/debian/botan?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.3+dfsg-1

2.19.3+dfsg-1+deb12u1

2.19.4+dfsg-1

2.19.5+dfsg-1

2.19.5+dfsg-2

2.19.5+dfsg-3

2.19.5+dfsg-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32877.json"

Debian:13 / botan

Package

Name: botan
Purl: pkg:deb/debian/botan?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.5+dfsg-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32877.json"

Debian:13 / botan3

Package

Name: botan3
Purl: pkg:deb/debian/botan3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.1+dfsg-2

3.8.1+dfsg-1

3.9.0+dfsg-1

3.9.0+dfsg-2

3.9.0+dfsg-2.1

3.10.0+dfsg-1

3.10.0+dfsg-2

3.11.0+dfsg-1

3.11.1+dfsg-1

3.11.1+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32877.json"

Debian:14 / botan3

Package

Name: botan3
Purl: pkg:deb/debian/botan3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.11.0+dfsg-2

Affected versions

3.*

3.7.1+dfsg-2

3.8.1+dfsg-1

3.9.0+dfsg-1

3.9.0+dfsg-2

3.9.0+dfsg-2.1

3.10.0+dfsg-1

3.10.0+dfsg-2

3.11.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32877.json"