CVE-2026-39892
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk47th percentile — higher than 47% of all known CVEs
Summary
A vulnerability in the cryptography library for Python (versions 45.0.0 to 46.0.6) allows buffer overflow when processing non-contiguous buffers passed to APIs that accept Python buffers, such as Hash.update(). The issue is fixed in version 46.0.7.
Risk Assessment
An attacker could exploit this vulnerability to cause application crashes or potentially execute arbitrary code, threatening the confidentiality and integrity of data processed by applications using the cryptography library.
Recommendation
Immediately update the cryptography library to version 46.0.7 or later in all environments where it is used.
Original NVD description (English source)
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

