CVE-2026-39892: Out-of-bounds Read in Python Cryptography via Non-Contiguous Buffers
Vulnerability ID: CVE-2026-39892
CVSS Score: 6.9
Published: 2026-04-08
CVE-2026-39892 is a memory safety vulnerability within the Python cryptography package affecting versions 45.0.0 through 46.0.6. The flaw occurs due to improper handling of non-contiguous memory buffers passed through the Python Buffer Protocol, resulting in an out-of-bounds memory read when using Python 3.11 or later.
TL;DR
An out-of-bounds read in Python's cryptography library allows attackers to cause denial of service or limited memory disclosure by providing non-contiguous buffer slices.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-39892
- CVSS v4.0: 6.9 (Medium)
- CWE ID: CWE-119
- Attack Vector: Network
- Exploit Status: Proof-of-Concept
- CISA KEV: Not Listed
Affected Systems
- pyca/cryptography package (versions 45.0.0 to 46.0.6)
- Python environments running version > 3.11
-
cryptography: >= 45.0.0, < 46.0.7 (Fixed in:
46.0.7)
Exploit Details
- Provided PoC Script: Python snippet demonstrating how passing a reversed bytearray slice to Hash.update() triggers the memory violation.
Mitigation Strategies
- Upgrade the python cryptography library to version 46.0.7 or greater
- Enforce explicit type conversion to
bytesfor all data handled by cryptography APIs
Remediation Steps:
- Identify all projects and virtual environments utilizing the
cryptographylibrary. - Execute
pip install --upgrade cryptography>=46.0.7in affected environments. - Audit application source code for direct passage of memory views or sliced arrays to cryptographic primitives.
- Implement continuous dependency scanning to prevent regression to vulnerable library versions.
References
- GitHub Security Advisory GHSA-p423-j2cm-9vmq
- Cryptography Changelog
- OSS-Security Mailing List Announcement
- NVD Record for CVE-2026-39892
Read the full report for CVE-2026-39892 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)