VulnerableCode Package Details - pkg:pypi/cryptography@44.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-f44c-ygbw-bufn Aliases: CVE-2026-26007 GHSA-r6ph-v2qm-q3c2	cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves ## Vulnerability Summary The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine	46.0.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-f44c-ygbw-bufn
Aliases:
CVE-2026-26007
GHSA-r6ph-v2qm-q3c2

cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves ## Vulnerability Summary The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

46.0.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gqj1-zam7-c3bv	Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.	CVE-2024-12797 GHSA-79v4-65xg-pq4g

Vulnerability

Summary

Aliases

VCID-gqj1-zam7-c3bv

Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

CVE-2024-12797
GHSA-79v4-65xg-pq4g

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T01:41:28.104617+00:00	GitLab Importer	Affected by	VCID-f44c-ygbw-bufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2026-26007.yml	38.3.0
2026-04-07T04:56:58.688005+00:00	GHSA Importer	Fixing	VCID-gqj1-zam7-c3bv	https://github.com/advisories/GHSA-79v4-65xg-pq4g	38.1.0
2026-04-03T01:50:22.473998+00:00	GitLab Importer	Affected by	VCID-f44c-ygbw-bufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2026-26007.yml	38.1.0
2026-04-02T12:40:51.514640+00:00	GitLab Importer	Fixing	VCID-gqj1-zam7-c3bv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-12797.yml	38.0.0
2026-04-01T12:55:42.026968+00:00	GithubOSV Importer	Fixing	VCID-gqj1-zam7-c3bv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-79v4-65xg-pq4g/GHSA-79v4-65xg-pq4g.json	38.0.0