Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/python-cryptography@46.0.6-1

Type deb

Namespace debian

Name python-cryptography

Version 46.0.6-1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 46.0.7-1

Latest_non_vulnerable_version 46.0.7-1

Affected_by_vulnerabilities

url VCID-za3q-wwzc-qbgv

vulnerability_id VCID-za3q-wwzc-qbgv

summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39892.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39892.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-39892

reference_id

reference_type

scores

value	0.00021
scoring_system	epss
scoring_elements	0.05897
published_at	2026-04-21T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12961
published_at	2026-04-09T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12839
published_at	2026-04-13T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12885
published_at	2026-04-12T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.1292
published_at	2026-04-11T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.18844
published_at	2026-04-18T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.18831
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-39892

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pyca/cryptography

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pyca/cryptography

reference_url

https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T19:41:57Z/

url

https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-39892

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-39892

reference_url

http://www.openwall.com/lists/oss-security/2026/04/08/12

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2026/04/08/12

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133076
reference_id	1133076
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133076

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2456735
reference_id	2456735
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2456735

reference_url

https://github.com/advisories/GHSA-p423-j2cm-9vmq

reference_id

GHSA-p423-j2cm-9vmq

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p423-j2cm-9vmq

reference_url	https://access.redhat.com/errata/RHSA-2026:7295
reference_id	RHSA-2026:7295
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7295

fixed_packages

url	pkg:deb/debian/python-cryptography@46.0.7-1
purl	pkg:deb/debian/python-cryptography@46.0.7-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@46.0.7-1

aliases CVE-2026-39892, GHSA-p423-j2cm-9vmq

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-za3q-wwzc-qbgv

Fixing_vulnerabilities

url VCID-rgsr-9wpx-qqg6

vulnerability_id VCID-rgsr-9wpx-qqg6

summary

cryptography has incomplete DNS name constraint enforcement on peer names
## Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's `crypto/x509`.

## Remediation

Users should upgrade to 46.0.6 or newer. 

## Attribution

Reporter: @1seal

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34073.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34073.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34073

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.05951
published_at	2026-04-18T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.0594
published_at	2026-04-16T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05975
published_at	2026-04-13T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05985
published_at	2026-04-12T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05994
published_at	2026-04-11T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06012
published_at	2026-04-09T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05934
published_at	2026-04-07T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05972
published_at	2026-04-08T12:55:00Z

value	0.00023
scoring_system	epss
scoring_elements	0.06218
published_at	2026-04-02T12:55:00Z

value	0.00023
scoring_system	epss
scoring_elements	0.06249
published_at	2026-04-04T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.0084
published_at	2026-04-21T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34073

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34073
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34073

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pyca/cryptography

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/pyca/cryptography

reference_url

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:50:17Z/

url

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34073

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34073

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2453276
reference_id	2453276
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2453276

reference_url

https://github.com/advisories/GHSA-m959-cc7f-wv43

reference_id

GHSA-m959-cc7f-wv43

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m959-cc7f-wv43

reference_url	https://access.redhat.com/errata/RHSA-2026:7295
reference_id	RHSA-2026:7295
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7295

fixed_packages

url pkg:deb/debian/python-cryptography@46.0.6-1

purl pkg:deb/debian/python-cryptography@46.0.6-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-za3q-wwzc-qbgv

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@46.0.6-1

aliases CVE-2026-34073, GHSA-m959-cc7f-wv43

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rgsr-9wpx-qqg6

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@46.0.6-1

Package Instance