cryptography has a buffer overflow if non-contiguous buffers were passed to APIs

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Affected Products

Vendor	Product	Versions
pyca	cryptography	>= 45.0.0, < 46.0.7

References

https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

oss-security2h ago

PyCA cryptography 46.0.7 released, fixes CVE-2026-39892

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

cryptography@46.0.7

CWECWE-119

PublishedApr 8, 2026

Last enriched2h agov2

Community Vote

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated exploit availability to true and marked the vulnerability as actively exploited.

exploitAvailableactivelyExploited

via oss-security

v13h ago

Initial creation