CVE-2026-27459
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk49th percentile - higher than 49% of all known CVEs
Summary
A vulnerability in pyOpenSSL versions 22.0.0 through 25.x allows a buffer overflow in OpenSSL when the `set_cookie_generate_callback` returns a cookie value longer than 256 bytes. The issue is fixed in version 26.0.0 by rejecting overly long cookie values.
Risk Assessment
An attacker could exploit this buffer overflow to cause application crashes or potentially achieve remote code execution in the context of the process using pyOpenSSL.
Recommendation
Immediately upgrade pyOpenSSL to version 26.0.0 or later. If an upgrade is not possible, ensure that cookie values returned by the callback do not exceed 256 bytes.
Original NVD description (English source)
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

