CVE-2026-39892 MEDIUM

CVE-2026-39892: cryptography has a buffer overflow if non-contiguous buffers were passed to APIs

Vendor Pyca
Product cryptography
Weakness CWE-119
Published April 8, 2026
Last update June 30, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
June 30, 2026 Record updated