CVE Catalog

CVE-2026-39892

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.65%

47th percentile — higher than 47% of all known CVEs

Summary

A vulnerability in the cryptography library for Python (versions 45.0.0 to 46.0.6) allows buffer overflow when processing non-contiguous buffers passed to APIs that accept Python buffers, such as Hash.update(). The issue is fixed in version 46.0.7.

Risk Assessment

An attacker could exploit this vulnerability to cause application crashes or potentially execute arbitrary code, threatening the confidentiality and integrity of data processed by applications using the cryptography library.

Recommendation

Immediately update the cryptography library to version 46.0.7 or later in all environments where it is used.

Original NVD description (English source)

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS