DEBIAN-CVE-2026-33936

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33936

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33936.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33936

Upstream

CVE-2026-33936

Published

2026-03-27T23:17:13.733Z

Modified

2026-04-03T06:00:36.323135Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

[none]

Details

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. ecdsa.der.remove_octet_string() accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause SigningKey.from_der() to raise an internal exception (IndexError: index out of bounds on dimension 1) rather than cleanly rejecting malformed DER (e.g., raising UnexpectedDER or ValueError). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.

References

https://security-tracker.debian.org/tracker/CVE-2026-33936

Affected packages

Debian:11 / python-ecdsa

Package

Name: python-ecdsa
Purl: pkg:deb/debian/python-ecdsa?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.16.1-1

0.17.0-1

0.18.0~b1-1

0.18.0~b2-1

0.18.0-1

0.18.0-2

0.18.0-3

0.18.0-4

0.18.0-5

0.19.0-1

0.19.0-2

0.19.1-1

0.19.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33936.json"

Debian:12 / python-ecdsa

Package

Name: python-ecdsa
Purl: pkg:deb/debian/python-ecdsa?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.18.0-3

0.18.0-4

0.18.0-5

0.19.0-1

0.19.0-2

0.19.1-1

0.19.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33936.json"

Debian:13 / python-ecdsa

Package

Name: python-ecdsa
Purl: pkg:deb/debian/python-ecdsa?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.19.1-1

0.19.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33936.json"

Debian:14 / python-ecdsa

Package

Name: python-ecdsa
Purl: pkg:deb/debian/python-ecdsa?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.19.2-1

Affected versions

0.*

0.19.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33936.json"