VulnerableCode Package Details - pkg:deb/debian/python-cryptography@0?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-av98-fhpr-tkhh	The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.	CVE-2023-38325 GHSA-cf7p-gm2m-833m PYSEC-2023-112
VCID-g772-pn9e-7ufv	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.	CVE-2024-26130 GHSA-6vqw-3v5j-54x4 PYSEC-2024-225
VCID-za3q-wwzc-qbgv	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.	CVE-2026-39892 GHSA-p423-j2cm-9vmq

Vulnerability

Summary

Aliases

VCID-av98-fhpr-tkhh

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

CVE-2023-38325
GHSA-cf7p-gm2m-833m
PYSEC-2023-112

VCID-g772-pn9e-7ufv

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

CVE-2024-26130
GHSA-6vqw-3v5j-54x4
PYSEC-2024-225

VCID-za3q-wwzc-qbgv

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

CVE-2026-39892
GHSA-p423-j2cm-9vmq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T09:29:58.738027+00:00	Debian Importer	Fixing	VCID-g772-pn9e-7ufv	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:17:49.508250+00:00	Debian Importer	Fixing	VCID-av98-fhpr-tkhh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-12T18:15:29.344582+00:00	Debian Importer	Fixing	VCID-za3q-wwzc-qbgv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:20:08.173334+00:00	Debian Importer	Fixing	VCID-g772-pn9e-7ufv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:12:44.570803+00:00	Debian Importer	Fixing	VCID-av98-fhpr-tkhh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-09T17:37:11.383061+00:00	Debian Importer	Fixing	VCID-za3q-wwzc-qbgv	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:38.837390+00:00	Debian Importer	Fixing	VCID-g772-pn9e-7ufv	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:38.642232+00:00	Debian Importer	Fixing	VCID-av98-fhpr-tkhh	https://security-tracker.debian.org/tracker/data/json	38.1.0