VulnerableCode Package Details - pkg:pypi/cryptography@42.0.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-f44c-ygbw-bufn Aliases: CVE-2026-26007 GHSA-r6ph-v2qm-q3c2	cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves ## Vulnerability Summary The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine	46.0.5 Affected by 0 other vulnerabilities.
VCID-gqj1-zam7-c3bv Aliases: CVE-2024-12797 GHSA-79v4-65xg-pq4g	Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.	44.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-p5vx-kq3j-b3ds Aliases: GHSA-h4gh-qq45-vh27	pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20240903.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.	43.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-f44c-ygbw-bufn
Aliases:
CVE-2026-26007
GHSA-r6ph-v2qm-q3c2

cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves ## Vulnerability Summary The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

46.0.5
Affected by 0 other vulnerabilities.

VCID-gqj1-zam7-c3bv
Aliases:
CVE-2024-12797
GHSA-79v4-65xg-pq4g

Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

44.0.1
Affected by 1 other vulnerability.

VCID-p5vx-kq3j-b3ds
Aliases:
GHSA-h4gh-qq45-vh27

pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20240903.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

43.0.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-g772-pn9e-7ufv	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.	CVE-2024-26130 GHSA-6vqw-3v5j-54x4 PYSEC-2024-225

Vulnerability

Summary

Aliases

VCID-g772-pn9e-7ufv

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

CVE-2024-26130
GHSA-6vqw-3v5j-54x4
PYSEC-2024-225

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T01:41:28.072815+00:00	GitLab Importer	Affected by	VCID-f44c-ygbw-bufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2026-26007.yml	38.3.0
2026-04-12T00:39:53.403631+00:00	GitLab Importer	Affected by	VCID-gqj1-zam7-c3bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-12797.yml	38.3.0
2026-04-12T00:25:25.371646+00:00	GitLab Importer	Affected by	VCID-p5vx-kq3j-b3ds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/GHSA-h4gh-qq45-vh27.yml	38.3.0
2026-04-03T01:50:22.440655+00:00	GitLab Importer	Affected by	VCID-f44c-ygbw-bufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2026-26007.yml	38.1.0
2026-04-03T00:47:49.171664+00:00	GitLab Importer	Affected by	VCID-gqj1-zam7-c3bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-12797.yml	38.1.0
2026-04-03T00:33:02.809378+00:00	GitLab Importer	Affected by	VCID-p5vx-kq3j-b3ds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/GHSA-h4gh-qq45-vh27.yml	38.1.0
2026-04-01T16:04:39.815898+00:00	GHSA Importer	Fixing	VCID-g772-pn9e-7ufv	https://github.com/advisories/GHSA-6vqw-3v5j-54x4	38.0.0
2026-04-01T15:16:02.524319+00:00	PyPI Importer	Fixing	VCID-g772-pn9e-7ufv	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.0.0
2026-04-01T12:52:32.963958+00:00	GitLab Importer	Fixing	VCID-g772-pn9e-7ufv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-26130.yml	38.0.0
2026-04-01T12:50:30.422156+00:00	GithubOSV Importer	Fixing	VCID-g772-pn9e-7ufv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6vqw-3v5j-54x4/GHSA-6vqw-3v5j-54x4.json	38.0.0
2026-04-01T12:49:22.608341+00:00	Pypa Importer	Fixing	VCID-g772-pn9e-7ufv	https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2024-225.yaml	38.0.0