CVE-2023-49083 MEDIUM

CVE-2023-49083: cryptography vulnerable to NULL-dereference when loading PKCS7 certificates

Vendor Pyca
Product cryptography
Weakness CWE-476
Published November 29, 2023
Last update December 18, 2025

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Key dates

02Disclosure timeline

November 29, 2023 CVE published
December 18, 2025 Record updated