CVE-2026-27459 HIGH

CVE-2026-27459: pyOpenSSL DTLS cookie callback buffer overflow

Vendor Pyca
Product pyopenssl
Weakness CWE-120
Published March 17, 2026
Last update June 30, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
June 30, 2026 Record updated