CVE-2026-39892 | THREATINT

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-08 | Updated 2026-04-09 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Product status

>= 45.0.0, < 46.0.7

affected

References

www.openwall.com/lists/oss-security/2026/04/08/12

github.com/...graphy/security/advisories/GHSA-p423-j2cm-9vmq

cve.org (CVE-2026-39892)

nvd.nist.gov (CVE-2026-39892)

Download JSON