{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39892", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.011Z", "datePublished": "2026-04-08T20:49:41.967Z", "dateUpdated": "2026-04-08T21:16:07.164Z"}, "containers": {"cna": {"title": "cryptography has a buffer overflow if non-contiguous buffers were passed to APIs", "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "lang": "en", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq"}], "affected": [{"vendor": "pyca", "product": "cryptography", "versions": [{"version": ">= 45.0.0, < 46.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:49:41.967Z"}, "descriptions": [{"lang": "en", "value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7."}], "source": {"advisory": "GHSA-p423-j2cm-9vmq", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/08/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-08T21:16:07.164Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7."}], "id": "CVE-2026-39892", "lastModified": "2026-04-08T22:16:21.907", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:17:01.547", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/08/12"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[45.0.0,46.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cryptography", "source": "cna", "vendor": "pyca"}, "product": "cryptography", "vendor": "pyca"}], "analysis": {"en": {"generated_at": "2026-04-08T23:00:22.570550+00:00", "value": {"mitigation_remediation": ["Upgrade the PyCA Cryptography package to version 46.0.7 or later.", "Confirm that no earlier versions of the package remain installed in the environment.", "When possible, avoid passing non\u2011contiguous buffers to cryptographic APIs such as Hash.update()."], "summary": {"action": "Patch", "impact": "Buffer overflow (potential memory corruption)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects versions of PyCA Cryptography ranging from 45.0.0 up to, but not including, 46.0.7. Any Python application using a pre\u201146.0.7 release and invoking cryptographic functions with non\u2011contiguous buffers is potentially vulnerable.", "description_and_impact": "A buffer overflow condition exists in the PyCA Cryptography Python package when a non\u2011contiguous buffer is supplied to APIs that accept Python buffers, such as the Hash.update() method. The affected code erroneously treats the non\u2011contiguous buffer as contiguous, allowing an attacker who can craft such a buffer to corrupt memory. This weakness is identified as CWE\u2011119.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply a crafted non\u2011contiguous buffer to a vulnerable API, which may be feasible in contexts where input is controllable. The risk is moderate and should be mitigated by updating the library."}}}}, "created": "2026-04-09T08:17:48.464730+00:00", "updated": "2026-04-09T08:27:11.992459+00:00", "vendors": ["pyca", "pyca$PRODUCT$cryptography"]}