PYSEC-2026-36

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2026-36.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-36
Aliases
Published
2026-04-08T21:17:01.547Z
Modified
2026-05-20T09:18:55.965312Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

References

Affected packages

PyPI / cryptography

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
45.0.0
Fixed
46.0.7

Affected versions

45.*
45.0.0
45.0.1
45.0.2
45.0.3
45.0.4
45.0.5
45.0.6
45.0.7
46.*
46.0.0
46.0.1
46.0.2
46.0.3
46.0.4
46.0.5
46.0.6

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2026-36.yaml"